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Abstract 


Automatic  verification  of  hardware  and  software  implementations  is  crucial  for 
building  reliable  computer  systems.  Most  verification  tools  rely  on  decision  pro¬ 
cedures  to  check  the  satisfiability  of  various  formulas  that  are  generated  during  the 
verification  process.  This  thesis  develops  new  techniques  for  building  efficient  de¬ 
cision  procedures  and  adds  new  capabilities  to  the  existing  decision  procedures  for 
certain  logics. 

Boolean  satisfiability  (SAT)  solvers  are  used  heavily  in  verification  tools  as 
decision  procedures  for  propositional  logic.  Most  state-of-the-art  SAT  solvers  are 
based  on  the  Davis-Putnam-Logemann-Loveland  (DPLL)  algorithm  and  require 
the  input  formula  to  be  in  Conjunctive  Normal  Form  (CNF).  However,  typical 
formulas  that  arise  in  practice  are  non-clausal,  that  is,  not  in  CNF.  Converting  a 
general  formula  to  CNF  introduces  overhead  in  the  form  of  new  variables  and  may 
destroy  the  structure  of  the  initial  formula,  which  can  be  useful  to  check  satisfia¬ 
bility  efficiently.  We  present  two  non-clausal  SAT  algorithms  that  operate  on  the 
Negation  Normal  Form  (NNF)  of  the  given  formula.  The  NNF  of  a  formula  is  usu¬ 
ally  more  succinct  than  the  CNF  of  the  formula.  The  first  algorithm  is  based  on  the 


idea  of  General  Matings  developed  by  Andrews  in  1981.  We  develop  techniques 
for  performing  search  space  pruning,  learning,  non-chronological  backtracking  in 
the  context  of  a  General  Matings  based  SAT  solver.  The  second  algorithm  applies 
the  DPLL  algorithm  to  NNF  formulas.  We  devise  new  algorithms  for  performing 
Boolean  Constraint  Propagation  (BCP),  a  key  task  in  the  DPLL  algorithm. 

Most  hardware  verification  tools  convert  a  high  level  design  into  a  low  level 
representation  called  a  netlist  for  verification.  However,  algorithms  that  operate  at 
the  netlist  level  are  unable  to  exploit  the  structure  of  the  higher  abstraction  levels 
such  as  register  transfer  level,  and  thus,  are  less  scalable.  This  thesis  proposes 
the  use  of  predicate  abstraction  for  verifying  register  transfer  level  (RTL)  Verilog. 
Predicate  abstraction  is  a  technique  introduced  for  software  verification.  There 
are  two  challenges  when  applying  predicate  abstraction  to  circuits:  (i)  The  com¬ 
putation  of  the  abstract  model  in  the  presence  of  a  large  number  of  predicates,  and 
(ii)  discovery  of  suitable  word-level  predicates  for  abstraction  refinement.  We  ad¬ 
dress  the  first  problem  using  a  technique  called  predicate  clustering.  We  address 
the  second  problem  by  computing  weakest  pre-conditions  of  Verilog  statements 
in  order  to  obtain  new  word-level  predicates  during  abstraction  refinement. 

An  alternative  technique  for  finding  new  predicates  for  refinement  is  based  on 
the  computation  of  Craig  interpolants.  Efficient  algorithms  are  known  for  com¬ 
puting  interpolants  in  rational  and  real  linear  arithmetic.  We  focus  on  subsets 
of  integer  linear  arithmetic.  Our  main  results  are  polynomial  time  algorithms 
for  obtaining  proofs  of  unsatisfiability  and  interpolants  for  conjunctions  of  linear 
diophantine  equations,  linear  modular  equations  (linear  congruences),  and  linear 

ii 


diophantine  disequations.  We  show  the  utility  of  our  interpolation  algorithms  for 
discovering  modular/divisibility  predicates  in  a  counterexample  guided  abstrac¬ 
tion  refinement  (CEGAR)  framework.  This  has  enabled  verification  of  simple 
programs  that  cannot  be  checked  using  existing  CEGAR  based  model  checkers. 
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Chapter  1 


Introduction 


Computer  systems  form  an  integral  part  of  our  day  to  day  life.  They  are  increas¬ 
ingly  being  used  in  safety  critical  applications  such  as  automobiles,  medical  de¬ 
vices,  aircrafts,  and  nuclear  power  plants.  Automatic  verification  of  the  under¬ 
lying  hardware  and  software  is  crucial  for  building  reliable  computer  systems. 
The  goal  of  this  thesis  is  to  develop  techniques  and  tools  for  obtaining  scalable 
verification  tools. 

A  decision  procedure  for  a  logic  is  an  algorithm  that  reports  whether  a  for¬ 
mula  given  in  that  logic  is  satisfiable  or  unsatisfiable.  Decision  procedures  act  as 
the  reasoning  engines  in  modem  verification  tools.  In  the  first  part  of  this  thesis 
we  focus  on  an  important  logic,  namely  the  Boolean  (propositional)  logic.  Our 
contributions  and  related  work  are  described  in  Section  1.1.  Most  hardware  ver¬ 
ification  tools  convert  a  high-level  design  into  a  gate-level  representation  called 
netlist  for  verification.  However,  algorithms  that  operate  at  the  netlist  level  are 
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unable  to  exploit  the  structure  of  the  higher  abstraction  levels,  and  can  be  less 
scalable.  We  develop  techniques  for  verifying  hardware  designs  at  a  higher  level 
of  abstraction  than  the  netlist  level.  We  describe  our  contributions  and  related 
work  in  Section  1.2.  Recent  hardware  and  software  verification  techniques  ex¬ 
pect  the  decision  procedures  to  also  provide  proofs  of  unsatisfiability  and  Craig 
interpolants.  We  present  our  results  on  computing  proofs  of  unsatisfiability  and 
interpolants  in  Section  1.3. 

1.1  Non-clausal  Boolean  Satisfiability  Algorithms 

The  Boolean  satisfiability  (SAT)  problem  decides  whether  a  given  Boolean  for¬ 
mula  is  satisfiable  or  unsatisfiable.  The  SAT  problem  is  of  central  importance  in 
various  areas  of  computer  science,  including  theoretical  computer  science,  hard¬ 
ware  and  software  verification,  and  artificial  intelligence.  The  SAT  problem  is 
NP-complete  [66]  and  no  provably  efficient  algorithms  are  known  for  it.  However, 
there  have  been  significant  (empirical)  improvements  [108,  117,  77]  in  the  capac¬ 
ity  of  SAT  solvers  over  the  past  decade.  SAT  solvers  are  now  used  routinely  in 
many  hardware  verification  techniques  such  as  bounded  model  checking  [42],  k- 
induction  [130],  interpolation  [112],  abstraction-refinement  [53,  86,  115,  103,  87]. 
Many  software  verification  and  static  analysis  tools  such  as  CBMC  [64],  F-Soft 
[90],  SATABS  [62],  SATURN  [143],  Calysto  [31]  rely  on  fast  Boolean  satisfiabil¬ 
ity  solvers  as  well. 

Many  SAT  solvers  have  been  developed,  most  employing  some  combination 
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of  two  main  strategies:  the  Davis-Putnam-Logemann-Loveland  (DPLL)  search 
[70,  71]  and  heuristic  local  search  [1 10].  Heuristic  local  search  techniques  are  not 
guaranteed  to  be  complete ,  that  is,  they  are  not  guaranteed  to  find  a  satisfying  as¬ 
signment  if  one  exists  or  prove  unsatisfiability.  As  a  result,  complete  SAT  solvers 
are  based  almost  exclusively  on  the  DPLL  search.  Some  well-known  complete 
SAT  solvers  are  GRASP  [108],  SATO  [145],  zChaff  [117],  BerkMin  [84],  Siege 
[18],  MiniSat  [77,  8],  RSat  [14],  PicoSAT  [13,  41].  From  now  on  we  will  focus 
only  on  complete  SAT  solvers. 

Most  state-of-the-art  SAT  procedures  require  the  input  formula  to  be  in  con¬ 
junctive  normal  form  (CNF).  The  design  and  implementation  of  SAT  solvers  be¬ 
comes  much  easier  if  the  input  formulas  are  restricted  to  CNF.  Given  a  truth  as¬ 
signment  o  to  a  subset  of  variables  occurring  in  a  formula,  a  Boolean  constraint 
propagation  (BCP)  algorithm  determines  if  o  falsifies  the  given  formula,  else  it 
provides  the  set  of  implied  assignments  (unit  literals).  Modem  SAT  solvers  spend 
about  80%-90%  of  the  total  time  during  the  BCP  steps.  For  formulas  in  CNF,  BCP 
can  be  carried  out  very  efficiently  using  the  two-watched  litercd  scheme  [117]. 

While  most  DPLL  based  SAT  solvers  operate  on  CNF,  there  has  been  work  on 
applying  DPLL  directly  to  circuit  [79,  106,  137]  representations.  In  [79]  a  hybrid 
SAT  solver  is  described  where  the  original  formula  is  processed  in  circuit  form, 
and  learned  clauses  are  processed  separately  in  CNF.  The  circuit-based  BCP  is 
implemented  by  means  of  a  lookup  table.  The  lookup  table  determines  the  next 
state  of  a  gate  (or  its  inputs)  based  upon  the  current  value  of  its  inputs  and  output. 
The  BCP  on  learned  clauses  uses  the  two-watched  literal  scheme  [117].  In  [137] 
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a  watched  literal  scheme  is  proposed  for  efficient  BCP  on  a  given  circuit. 

Typical  formulas  generated  by  the  industrial  applications  are  not  necessarily 
in  CNF.  We  refer  to  these  formulas  as  non-clausal  formulas.  In  order  to  check  the 
satisfiability  of  a  non-clausal  formula  (])  using  a  CNF  based  SAT  solver,  (f>  needs 
to  be  converted  to  CNF.  This  is  done  by  introducing  new  variables  [138,  124]. 
The  result  is  a  CNF  formula  (j)'  which  is  equi-satisfiable  to  (])  and  is  polynomial  in 
the  size  of  (]).  This  is  the  most  common  way  of  converting  (f>  to  a  CNF  formula. 
Conversion  of  a  non-clausal  formula  to  a  CNF  formula  destroys  the  initial  struc¬ 
ture  of  the  formula,  which  can  be  crucial  for  efficient  satisfiability  checking.  The 
advantage  of  introducing  new  variables  to  convert  (])  to  (f/  is  that  it  can  allow  for  an 
exponentially  shorter  proof  than  is  possible  by  completely  avoiding  the  introduc¬ 
tion  of  new  variables  [98].  However,  the  translation  from  (])  to  (I)7  also  introduces 
a  large  number  of  new  variables  and  clauses,  which  can  potentially  increase  the 
overhead  during  the  BCP  steps  and  make  the  decision  heuristics  less  effective.  In 
order  to  reduce  this  overhead  modern  CNF  SAT  solvers  use  pre-processing  tech¬ 
niques  that  try  to  eliminate  certain  variables  and  clauses  [75].  The  disadvantage 
with  pre-processing  is  that  it  does  not  always  lead  to  improvement  in  the  SAT 
solver  performance.  It  can  also  fail  on  large  examples  due  to  significant  memory 
overhead  1 . 


1  In  SAT  competitions  the  solvers  disable  pre-processing  when  the  problem  has  more  than  a 
few  million  clauses  to  avoid  running  out  of  memory. 
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1.1.1  Outline  of  Our  Results 


A  Boolean  formula  is  in  negation  normal  form  (NNF)  iff  it  contains  only  the 
Boolean  connectives  A  (AND),  V  (OR)  and  ->  (NOT)  and  the  scope  of  each  oc¬ 
currence  of  -i  is  a  Boolean  variable. 

We  propose  a  new  SAT  solving  framework  based  on  a  representation  known 
as  vertical-horizontal  path  form  (vhpform)  due  to  Peter  Andrews  [29,  30].  The 
vhpform  is  a  two-dimensional  representation  of  formulas  in  NNF.  We  represent 
the  vhpform  of  a  given  NNF  formula  in  the  form  of  two  graphs  called  vpgraph 
and  hpgraph.  The  vpgraph  encodes  the  disjunctive  normal  form  and  the  hpgraph 
encodes  the  conjunctive  normal  form  of  a  given  NNF  formula.  The  size  of  these 
graphs  is  linear  in  the  size  of  the  given  formula.  We  develop  two  non-clausal  SAT 
algorithms  that  use  the  vpgraph  and  the  hpgraph  of  a  given  formula. 

The  first  algorithm  is  based  on  the  idea  of  General  Matings  [29].  A  path  in 
a  vpgraph  starting  from  a  root  node  and  ending  at  a  leaf  node  is  called  a  vertical 
path.  Each  vertical  path  corresponds  to  a  term  (conjunction  of  literals)  in  a  DNF 
representation  of  a  given  formula.  At  a  high  level  our  search  algorithm  enumerates 
all  possible  vertical  paths  in  the  vpgraph  of  a  given  formula  until  a  vertical  path  is 
found  that  does  not  contain  two  opposite  literals.  If  such  a  path  is  found  the  given 
formula  is  satisfiable.  If  every  vertical  path  contains  two  opposite  literals,  then  the 
given  formula  is  unsatisfiable.  The  number  of  vertical  paths  can  be  exponential 
in  the  size  of  a  given  formula.  Thus,  the  key  challenge  in  obtaining  an  efficient 
SAT  solver  based  on  this  method  is  to  prevent  the  explicit  enumeration  of  vertical 
paths  as  much  as  possible.  We  develop  new  techniques  for  preventing  the  explicit 
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enumeration  of  vertical  paths. 

A  path  in  an  hpgraph  starting  from  a  root  node  and  ending  at  a  leaf  node  is 
called  a  horizontal  path.  Each  horizontal  path  corresponds  to  a  clause  (disjunction 
of  literals)  in  a  CNF  representation  of  a  given  formula.  The  hpgraph  provides  a 
compact  encoding  of  all  clauses  present  in  a  given  NNF  formula.  The  second 
algorithm  applies  the  DPFF  algorithm  to  the  hpgraph  representation  of  a  given 
formula.  The  main  challenge  in  this  algorithm  is  to  efficiently  perform  Boolean 
constraint  propagation  (BCP)  on  the  hpgraph  representation.  We  generalize  the 
idea  of  the  two-watched  literal  scheme  used  in  CNF  SAT  solvers,  in  order  to 
efficiently  carry  out  BCP  on  hpgraphs.  We  evaluated  the  new  solver  on  a  large 
collection  of  non-clausal  benchmarks  drawn  from  bounded  model  checking,  k- 
induction,  equivalence  checking,  and  software  verification.  The  new  solver  is 
competitive  with  current  state-of-the-art  solvers  in  terms  of  run  time  and  number 
of  problems  solved. 

We  refer  to  our  algorithms  as  non-clausal  SAT  algorithms  as  they  do  not  re¬ 
quire  the  conversion  of  a  given  formula  to  CNF. 

1.1.2  Comparison  with  Related  Work 

The  key  differences  between  existing  work  and  our  work  are  as  follows: 

1.  Unlike  heuristic  local  search  based  techniques,  we  propose  complete  SAT 
solvers. 

2.  Our  algorithms  do  not  operate  on  the  circuit  or  CNF  representation  of  a 
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given  formula/circuit.  In  our  approach  a  given  formula/circuit  is  converted 
to  an  equi-satisfiable  negation  normal  form  (NNF)  formula.  The  NNF  for¬ 
mula  is  then  represented  in  the  form  of  two  graphs  called  the  vpgraph  and 
hpgraph.  These  graphs  are  used  in  our  SAT  algorithms. 

3.  Our  solvers  handle  formulas  containing  A,  V,  — >  operators  and  no  structure 
sharing  directly,  without  introduction  of  new  variables.  Observe  that  these 
formulas  can  easily  be  converted  to  NNF  by  pushing  the  negations  to  the 
variables  using  DeMorgan’s  laws.  The  existing  CNF  and  circuit  based  SAT 
solvers  require  introduction  of  new  variables  for  each  intermediate  gate  or 
sub-formula. 

4.  We  are  also  able  to  handle  formulas  with  structure  sharing  or  formulas  con¬ 
taining  other  operators  such  as  if-then-else  (ITE),  iff  (4=>),  xor  (©)  operators. 
This  is  done  by  converting  these  formulas  to  NNF  formulas  as  described  in 
chapter  2.  The  conversion  to  NNF  may  require  addition  of  new  variables. 
Let  Vnnf  and  Vcnf  denote  the  number  of  new  variables  introduced  when 
converting  a  given  formula/circuit  to  NNF  and  CNF  ,  respectively.  We  pro¬ 
vide  empirical  justification  that  Vnnf  is  usually  much  smaller  than  Vcnf, 
sometimes  by  an  order  of  magnitude. 

5.  There  is  also  a  crucial  difference  between  the  General  Matings  based  algo¬ 
rithm  and  the  DPLL  algorithm.  In  DPLL  the  search  space  is  the  set  of  all 
possible  assignments  to  the  Boolean  variables,  whereas  in  General  Matings 
the  search  space  is  the  set  of  all  possible  vertical  paths  in  the  vpgraph  of  a 


7 


given  formula.  To  the  best  of  our  knowledge  there  is  no  direct  relationship 
between  these  search  spaces. 


1.2  Techniques  for  Word-Level  Verification 

Most  hardware  design  is  done  at  a  high  level  of  abstraction,  e.g.,  using  the  regis¬ 
ter  transfer  level  (RT-level  or  RTL),  or  even  at  the  system  level.  An  RTL  design 
describes  a  digital  circuit  in  terms  of  data  flow  between  registers,  which  store  in¬ 
formation  between  clock  cycles  in  a  digital  circuit.  The  RT-level  of  a  hardware 
description  language  such  as  Verilog  is  very  similar  to  a  software  program  with 
features  for  hardware  design  such  as  bit-vectors.  Most  formal  verification  tools 
used  in  the  hardware  industry  convert  a  high  level  RTL  design  to  a  low  level 
design,  usually  a  netlist,  for  verification.  A  netlist  is  a  description  of  a  hardware 
design  using  gates  (combinational  elements)  and  latches  (state-holding  elements). 
Verification  at  the  netlist  level  can  be  more  difficult,  as  the  high  level  structure  of 
an  RTL  program  is  lost  during  the  conversion  to  a  netlist.  For  example,  a  multi¬ 
plication  operator  in  an  RTL  program  gets  replaced  by  a  multiplier  circuit  in  the 
netlist.  This  can  make  the  verification  at  the  netlist  level  less  scalable. 

Fig.  1.1  (a)  shows  the  various  levels  of  abstraction  for  hardware  design.  The 
ease  of  design  increases  as  we  move  up  from  the  netlist  level  to  the  system  level. 
Fig.  1.1  (b)  shows  that  hardware  verification  tools  convert  ( synthesize )  a  high-level 
design  to  a  netlist  for  verification.  As  argued  earlier,  verification  at  the  netlist  level 
can  be  more  difficult,  and  thus,  there  is  a  need  for  verification  techniques  that 
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Figure  1.1:  (a)  Various  levels  of  abstraction  for  hardware  design,  (b)  Existing 
formal  verification  tools  convert  a  design  to  a  netlist. 


operate  directly  at  the  RT-level  or  system-level.  Such  techniques  are  also  referred 
to  as  word-level  verification  techniques. 


1.2.1  Model  Checking  and  Abstraction 

Model  checking  [58,  60]  is  an  automatic  technique  for  the  verification  of  finite- 
state  concurrent  systems.  It  has  been  used  successfully  in  practice  to  verify  com¬ 
plex  circuit  designs  and  communication  protocols.  Model  checking  systemati¬ 
cally  explores  the  state  space  of  a  given  design  and  checks  that  each  reachable 
state  satisfies  the  property  of  interest.  If  the  design  fails  to  satisfy  a  desired  prop¬ 
erty,  the  process  of  model  checking  produces  a  counterexample  that  demonstrates 
a  behavior  that  falsifies  the  property.  By  making  use  of  symbolic  algorithms 
[52,  111,  42,  26]  based  on  Binary  Decision  Diagrams  (BDDs)  [51]  or  fast  sat¬ 
isfiability  solvers  (SAT  solvers)  [108,  117,  8],  current  model  checkers  can  scale  to 
systems  with  a  large  number  of  states. 

In  industrial  hardware  designs  the  number  of  states  is  extremely  large.  This 


9 


results  in  a  state  explosion  problem  during  model  checking  even  when  symbolic 
model  checking  algorithms  are  used.  One  principal  method  in  state  space  reduc¬ 
tion  is  abstraction.  Abstraction  techniques  reduce  the  state  space  by  mapping  the 
set  of  states  of  the  actual,  concrete  system  to  an  abstract,  and  smaller,  set  of  states 
in  a  way  that  preserves  the  relevant  behaviors  of  the  system. 

Many  formal  verification  tools  use  abstraction  techniques  that  produce  a  con¬ 
servative  over-approximation  of  the  concrete  system.  This  implies  that  if  the  ab¬ 
straction  satisfies  a  given  property,  the  property  also  holds  on  the  original  concrete 
system.  The  drawback  of  the  conservative  abstraction  is  that  when  model  check¬ 
ing  of  the  abstraction  fails,  it  may  produce  an  abstract  counterexample  that  does 
not  correspond  to  any  concrete  counterexample.  This  is  usually  called  a  spurious 
counterexample  [55]. 

In  order  to  check  if  an  abstract  counterexample  is  spurious,  the  abstract  coun¬ 
terexample  is  simulated  on  the  concrete  program.  This  is  called  the  simulation 
step.  As  in  bounded  model  checking  (BMC)  [42],  the  concrete  transition  relation 
for  the  design  and  the  given  property  are  jointly  unwound  to  obtain  a  Boolean 
formula.  The  number  of  unwinding  steps  is  given  by  the  length  of  the  abstract 
counterexample.  The  Boolean  formula  is  then  checked  for  satisfiability  using  a 
SAT  procedure.  If  the  instance  is  satisfiable,  the  counterexample  is  real  and  the 
procedure  terminates.  If  the  instance  is  unsatisfiable,  the  abstract  counterexample 
is  spurious,  and  abstraction  refinement  has  to  be  performed. 

The  basic  idea  of  abstraction  refinement  techniques  [102,  55,  61,  33]  is  to 
create  a  new  abstract  model  that  contains  more  detail  in  order  to  prevent  the  spu- 
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Small  abstract  model  D’ 


Does  Cabs  correspond 
to  real  bug  in  D? 


Figure  1 .2:  Counterexample  Guided  Abstraction  and  Refinement  (CEGAR)  Loop. 


rious  counterexample.  This  process  is  iterated  until  the  property  is  either  proved 
or  disproved.  It  is  known  as  the  Counterexample  Guided  Abstraction  Refinement 
framework,  or  CEGAR  for  short  [55].  The  CEGAR  loop  is  shown  in  Fig.  1.2. 


1.2.2  Abstraction  Techniques  for  Circuits 

Most  model  checkers  used  in  hardware  verification  operate  on  a  low  level  design, 
usually  a  netlist.  At  the  netlist  level,  a  commonly  used  abstraction  technique  is 
localization  reduction  [102, 142,  87].  The  abstract  model  is  created  from  the  given 
circuit  by  removing  a  large  number  of  latches  together  with  the  logic  required  to 
compute  their  next  state.  The  latches  that  are  removed  are  called  the  invisible 
latches.  The  latches  remaining  in  the  abstract  model  are  called  visible  latches.  For 
example,  the  initial  abstract  model  can  be  created  by  making  the  latches  present 
in  the  property  visible,  and  the  rest  invisible.  The  refinement  is  done  by  moving 
more  latches  from  the  set  of  invisible  latches  to  the  set  of  visible  latches.  The 
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refinement  step  is  usually  based  on  the  analysis  of  a  spurious  counterexample. 

A  proof-based  approach  is  followed  in  [115,  86]  where  a  proof  of  unsatisfia¬ 
bility  produced  by  a  SAT  solver  is  used  to  refine  the  abstraction.  The  advantage 
of  the  proof-based  approaches  is  that  all  counterexamples  upto  a  given  depth  are 
eliminated  from  the  abstract  model  at  each  refinement  step. 

McMillan  [1 12]  describes  a  SAT-based  method  for  finite-state  model  checking 
based  on  the  use  of  interpolants.  In  [112]  the  idea  of  interpolation  is  combined 
with  bounded  model  checking  to  obtain  an  over- approximate  image  operator.  This 
allows  obtaining  over-approximations  of  the  reachable  set  of  states  without  using 
the  costly  image  computation  (existential  quantification)  operations.  The  use  of 
interpolation  helps  the  verification  procedure  focus  only  on  the  parts  of  design 
that  are  relevant  to  proving  the  property. 

1.2.3  Outline  of  Our  Results 

As  described  above  there  are  numerous  abstraction  techniques  available  for  veri¬ 
fication  at  the  netlist  level.  However,  very  few  abstraction  techniques  are  known 
for  verification  at  the  word-level.  Since  word-level  hardware  designs  are  similar 
to  software,  we  propose  the  use  of  abstraction  algorithms  that  have  been  devised 
for  software  verification. 

In  the  software  domain,  one  successful  abstraction  technique  for  large  systems 
is  predicate  abstraction  [85].  It  abstracts  data  by  only  keeping  track  of  certain 
predicates  on  the  data.  Each  predicate  is  represented  by  a  Boolean  variable  in  the 
abstract  program,  while  the  original  data  variables  are  eliminated.  Predicate  ab- 
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straction  of  ANSI-C  programs  in  combination  with  CEGAR  loop  was  introduced 
by  Ball  and  Rajamani  [33]  and  promoted  by  the  success  of  the  SLAM  project. 
The  goal  of  the  SLAM  project  is  to  verify  that  Windows  device  drivers  obey  API 
conventions. 

We  apply  predicate  abstraction  in  combination  with  CEGAR  loop  for  verify¬ 
ing  RTL  Verilog  programs.  There  are  two  challenges  when  applying  predicate 
abstraction  to  circuits:  1)  The  computation  of  the  abstract  model  in  presence  of  a 
large  number  of  predicates,  and  2)  the  discovery  of  suitable  word-level  predicates 
for  abstraction  refinement.  We  address  these  problems  as  part  of  this  thesis. 

1.2.4  Comparison  with  Related  Work 

While  localization  reduction  is  a  special  case  of  predicate  abstraction,  predicate 
abstraction  can  result  in  a  much  smaller  abstract  model.  As  an  example,  assume 
a  circuit  contains  two  registers,  each  encoding  a  number.  Predicate  abstraction 
can  keep  track  of  a  numerical  relation  between  the  two  numbers  using  a  single 
predicate,  and  thus,  using  a  single  state  bit  in  the  abstract  model.  In  contrast,  lo¬ 
calization  reduction  typically  turns  all  bits  of  the  two  registers  into  visible  latches, 
and  thus,  the  abstraction  is  identical  to  the  original  model. 

Clarke  et  al.  [63]  introduce  a  SAT-based  technique  for  predicate  abstraction 
of  netlist  level  circuits.  The  use  of  a  SAT  solver  like  zChaff  [117]  in  order  to 
perform  the  abstraction  allows  precise  modeling  of  bit- vector  semantics.  How¬ 
ever,  their  approach  suffers  from  two  drawbacks.  1)  Each  transition  in  the  abstract 
model  is  computed  by  a  separate  run  of  the  SAT  solver.  Thus,  the  learning  done 
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by  a  SAT  solver  in  the  form  of  conflict  clauses  is  lost  when  computing  other  tran¬ 
sitions  in  the  abstract  model.  2)  If  refinement  becomes  necessary,  only  bit-level 
predicates  are  introduced.  This  method  of  refinement  closely  resembles  refine¬ 
ment  techniques  for  localization  reduction. 

Andraus  et  al.  [28]  present  a  scheme  for  automatic  abstraction  of  behavioral 
RTL  Verilog  to  the  CLU  language  [50].  The  CLU  language  allows  modeling  us¬ 
ing  terms,  uninterpreted  functions,  equality,  lambda  expressions,  and  counters.  In 
order  to  remove  spurious  behaviors  from  the  abstract  model  a  refinement  proce¬ 
dure  is  described  in  [27].  The  techniques  in  [28,  27]  were  shown  to  be  useful  in 
context  of  microprocessor  correspondence  checking.  The  techniques  we  propose 
are  different  from  those  in  [28,  27]  and  are  geared  towards  property  (assertion) 
checking  of  hardware  designs. 

A  Pre-image  computation  generates  a  set  of  states  from  which  it  is  possible 
to  reach  a  given  set  of  states  with  one  transition.  It  is  a  basic  operation  in  model 
checking  [58]  and  target  enlargement  approaches  [39].  The  idea  of  computing  a 
pre-image  is  the  same  as  computing  the  weakest  precondition  of  a  given  set  of 
states,  although  the  latter  term  is  more  commonly  used  in  software  verification. 
Most  existing  hardware  model  checkers  compute  the  pre-image  at  the  netlist  level 
and  represent  it  symbolically  using  BDDs.  As  in  software  verification  our  use  of 
weakest  preconditions  or  pre-images  is  at  the  word  (expression)  level. 

We  use  weakest  pre-conditions  for  discovering  new  predicates  for  refinement. 
This  technique  can  lead  to  too  many  refinement  iterations  or  may  not  even  ter¬ 
minate  in  some  cases,  for  example,  when  we  need  to  track  the  value  of  an  n  bit 
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counter  c  in  an  abstract  model  precisely.  In  this  case  refinement  using  weakest  pre¬ 
conditions  can  lead  to  2n  iterations,  where  each  iteration  discovers  a  predicate  of 
the  form  c  =  v,  0  <  v  <  2”  —  1.  In  localization  reduction  the  value  c  can  be  tracked 
precisely  by  making  each  bit  in  c  a  visible  latch.  It  is  possible  to  get  the  benefits 
of  localization  reduction  in  our  technique  as  well  by  adding  c[0] , . . . ,  c[n  —  1]  as 
predicates.  The  combination  of  predicate  abstraction  and  localization  reduction  is 
studied  in  detail  by  Wang  et  al.  [140]. 


Lahiri  and  Bryant  [104]  propose  an  extension  to  predicate  abstraction  that  uses 
predicates  with  free  (index)  variables.  This  allows  verification  of  safety  proper¬ 
ties  of  unbounded  systems.  In  our  context,  indexed  predicates  can  be  useful  when 
dealing  with  memories  or  input  variables.  The  predicate  discovery  heuristics  de¬ 
scribed  in  [104]  can  be  used  in  our  context. 


An  alternative  technique  for  discovering  new  predicates  is  based  on  Craig  in¬ 
terpolation  [113,  89].  This  technique  is  used  in  a  state-of-the-art  software  model 
checker  BLAST  [2].  In  order  to  apply  this  idea  to  circuits,  an  interpolating  theo¬ 
rem  prover  for  bit-vector  logic  [49,  38,  32,  107,  82,  48]  is  required.  At  present,  it 
is  not  known  how  to  build  a  practical  interpolating  theorem  prover  for  bit-vector 
logic.  We  have  developed  an  efficient  interpolation  algorithm  for  conjunctions  of 
linear  modular  equations  (linear  congruences).  Our  algorithm  handles  the  inter¬ 
polation  problem  for  a  subset  of  bit- vector  logic. 
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1.3  Craig  Interpolation  for  Subsets  of  Integer  Lin¬ 


ear  Arithmetic 


Figure  1.3:  Formulas  F.  G,I  represented  as  sets.  F  A  G  is  unsatisfiable  and  /  rep¬ 
resents  an  interpolant  for  (F.  G ) . 


The  use  of  Craig  interpolation  [67]  has  led  to  powerful  hardware  [112]  and 
software  [89,  114]  model  checking  techniques.  Given  two  formulas  F,  G  such 
that  F  A  G  is  unsatisfiable,  a  Craig  interpolant  for  the  pair  (F.  G)  is  a  formula  / 
with  the  following  properties:  1)  F  =>■  I,  2)  I A  G  is  unsatisfiable,  and  3)  /  refers 
only  to  the  common  variables  of  F  and  G.  One  can  view  a  formula  as  the  set 
of  states  that  make  the  formula  true.  Figure  1.3  shows  that  the  sets  representing 
formulas  F.  G  are  disjoint.  The  set  representing  the  interpolant  I  for  (F.  G )  is  an 
over-approximation  (superset)  of  F  and  is  disjoint  from  G. 

In  [112]  the  idea  of  interpolation  is  used  for  obtaining  over- approximations 
of  the  reachable  set  of  states  without  using  the  costly  image  computation  (exis¬ 
tential  quantification)  operations.  In  [89,  99]  interpolants  are  used  for  finding  the 
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void  main() 

{ 

int  x=  1  ,y  =  2; 
while  ( 1 ) 

{ 

x  =  x  +3*  nondet ( ) ; 
y  =  y  +6*  nondet ( ) ; 
if  ( x+y ==2) 

ERROR:  ; 

} 

} 

Figure  1.4:  AC  program  with  an  unreachable  ERROR  label. 


right  set  of  predicates  in  order  to  rule  out  spurious  counterexamples  in  a  CEGAR 
framework.  An  interpolating  theorem  prover  performs  the  task  of  finding  the  in- 
terpolants.  Such  provers  are  available  for  various  theories  such  as  propositional 
logic,  rational  and  real  linear  arithmetic  and  equality  with  uninterpreted  functions 
[113,  144,  100,  99,  128,  101,54], 


1.3.1  Motivating  Example 

Consider  the  C  code  in  Fig.  1.4.  The  function  call  nondet  ( )  returns  a  random 
integer.  We  are  interested  in  checking  the  reachability  of  the  ERROR  label.  Intu¬ 
itively,  the  ERROR  label  is  unreachable  because  x  +  y  is  a  multiple  of  3  when  the 
condition  of  the  i  f  statement  is  checked.  Existing  weakest  precondition  based 
or  interpolation  based  model  checkers  are  not  able  to  find  the  right  predicates  in 
order  to  show  that  the  ERROR  label  is  unreachable.  In  this  example  the  right 
predicate  is  x+y  =  0  ( mod  3),  that  is,  x+y  is  a  multiple  of  3.  We  have  developed 
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new  interpolation  algorithms  that  are  effective  at  discovering  modular/divisibility 
predicates,  such  as  x  +  y  =  0  (mod  3),  from  spurious  counterexamples. 

1.3.2  Outline  of  Our  Results 

Efficient  algorithms  are  known  for  computing  interpolants  in  rational  and  real  lin¬ 
ear  arithmetic  [113,  128,  54].  Linear  arithmetic  formulas  where  all  variables  are 
constrained  to  be  integers  are  said  to  be  formulas  in  (pure)  integer  linear  arith¬ 
metic  or  LA( Z),  where  Z  is  the  set  of  integers.  There  are  no  known  efficient 
algorithms  for  computing  interpolants  for  formulas  in  LA( Z).  This  is  expected 
because  checking  the  satisfiability  of  conjunctions  of  atomic  formulas  in  LA( Z)  is 
itself  NP-hard.  We  show  that  for  various  subsets  of  LA  (Z)  one  can  compute  proofs 
of  unsatisfiability  and  interpolants  in  polynomial  time.  We  demonstrate  the  util¬ 
ity  of  the  proposed  interpolation  algorithms  for  discovering  modular/divisibility 
predicates  in  a  counterexample  guided  abstraction  refinement  (CEGAR)  frame¬ 
work.  This  has  enabled  verification  of  simple  programs  that  cannot  be  checked 
using  existing  CEGAR  based  model  checkers. 

1.4  Thesis  Outline 

•  In  chapter  2  we  discuss  the  conversion  of  Boolean  circuits  to  NNF  formulas 
and  the  vertical-horizontal  path  form  (vhpform)  representation  of  NNF  for¬ 
mulas.  We  describe  how  to  represent  vhpform  in  form  of  two  graphs  called 
vpgraph  and  hpgraph.  This  chapter  forms  the  basis  of  our  non-clausal  SAT 
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algorithms  described  in  chapters  3  and  4. 


•  We  describe  our  General  Matings  based  SAT  algorithm  [91]  in  chapter  3. 
The  techniques  for  search  space  pruning,  learning,  and  non-chronological 
backtracking  are  presented.  Experimental  evaluation  of  the  solver  is  pre¬ 
sented. 

•  In  chapter  4  we  describe  our  DPLL  based  SAT  algorithm.  We  present  an 
algorithm  for  carrying  out  Boolean  constraint  propagation  on  hpgraphs  by 
using  a  generalization  of  the  two-watched  literal  scheme  and  the  vpgraph. 
We  present  an  experimental  evaluation  of  the  solver. 

•  We  present  techniques  for  verifying  register  transfer  level  (RTL)  Verilog  us¬ 
ing  predicate  abstraction  and  counterexample  guided  abstraction  refinement 
(CEGAR)  loop  [95,  96,  97,  23]  in  chapter  5. 

•  In  chapter  6  we  present  our  results  on  Craig  interpolation  for  subsets  of 
integer  linear  arithmetic  [92]. 

•  We  conclude  in  chapter  7  with  directions  for  future  research. 
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Chapter  2 


Graph  Based  Representations  for 
Non-Clausal  SAT  Solving 


The  problem  of  Boolean  (propositional)  satisfiability  (SAT)  is  of  central  impor¬ 
tance  in  various  areas  of  computer  science,  including  theoretical  computer  sci¬ 
ence,  artificial  intelligence,  and  hardware/software  design  and  verification.  Most 
state-of-the-art  SAT  procedures  are  variations  of  the  Davis-Putnam-Logemann- 
Loveland  (DPLL)  [70,  71]  algorithm  and  require  the  input  formula  to  be  in  con¬ 
junctive  normal  form  (CNF).  Typical  formulas  arising  in  practice  are  non-clausal, 
that  is,  not  in  CNF.  Converting  a  non-clausal  formula  to  CNF  introduces  over¬ 
head  in  form  of  new  variables  and  may  destroy  the  initial  structure  of  the  formula, 
which  can  be  crucial  in  efficient  satisfiability  checking. 

We  propose  a  new  Boolean  SAT  solving  framework  based  on  a  representation 
known  as  vertical-horizontal  path  form  (vhpform)  due  to  Peter  Andrews  [29,  30]. 
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We  develop  two  non-clausal  SAT  algorithms  that  use  the  vhpform  of  a  given  for¬ 
mula.  We  describe  the  vhpform  representation  in  this  chapter.  In  chapters  3,  4  we 
describe  our  SAT  algorithms  that  use  the  vhpform  of  a  given  formula. 

A  Boolean  formula  is  in  negation  normal  form  (NNF)  iff  it  contains  only  the 
Boolean  connectives  A  (and),  V  (or)  and  -i  (not),  the  scope  of  each  occurrence  of 
-i  is  a  Boolean  variable.  We  also  require  that  there  is  no  structure  sharing  in  a 
NNF  formula,  that  is,  output  from  a  gate  acts  as  input  to  atmost  one  gate.  That  is, 
a  NNF  formula  is  tree-like  as  opposed  to  a  circuit  which  can  be  DAG-like. 

The  vhpform  is  defined  for  formulas  in  NNF  form.  Most  Boolean  circuits 
obtained  in  practice  are  not  in  NNF  form.  The  conversion  of  Boolean  circuits  to 
NNF  formulas  is  described  in  the  next  section. 


2.1  Conversion  of  Boolean  Formulas/Circuits  to  Nega¬ 
tion  Normal  Form  Formulas 

In  our  work  Boolean  circuits  are  converted  to  NNF  formulas  in  two  stages.  The 
first  stage  re-writes  other  operators  (xor,  iff,  implies,  if-then-else)  in  terms  of  A,  V, 

-i  operators.  For  example,  <f)i  <t>2  (4>t  iff  <J>2)  is  written  as  (“4i  V <f)2)  A  (4>i  V-42). 

In  order  to  avoid  a  blowup  in  the  size  of  the  resulting  formula  we  allow  sharing  of 
sub-formulas.  Thus,  the  first  stage  produces  a  formula  containing  A,V,->  gates, 
possibly  with  structure  sharing.  The  second  stage  gets  rid  of  the  structure  sharing 
in  order  to  obtain  a  NNF  formula.  This  is  done  by  introduction  of  new  variables. 
We  introduce  a  new  variable  for  each  gate  that  is  different  from  a  -1  (not)  gate  and 
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#Variables  in  CNF  before  Pre-processing 

Figure  2.1:  Comparing  number  of  variables  in  NNF  formulas  on  y-axis  and  num¬ 
ber  of  variables  in  CNF  formulas  on  x-axis. 


has  a  fanout  greater  than  one.  Observe  that  the  conversion  of  a  Boolean  circuit  to 
a  NNF  formula  can  be  done  in  linear  time  in  the  size  of  the  Boolean  circuit. 

In  Figure  2.1  we  compare  the  number  of  variables  in  the  NNF  and  CNF  rep¬ 
resentations  of  a  collection  of  2541  industrial  non-clausal  benchmarks  (Boolean 
circuits).  The  CNF  form  was  obtained  by  means  of  the  standard  Tseitin  transla¬ 
tion  [138,  124].  We  can  see  that  the  NNF  forms  have  5  —  10  times  fewer  variables. 
Modern  CNF  SAT  solvers  use  pre-processing  techniques  in  order  to  eliminate  cer¬ 
tain  variables  and  clauses  from  the  input  CNF  formula  [75].  We  compare  the  vari¬ 
ables  in  the  pre-processed  CNF  formulas  and  the  corresponding  NNF  formulas  in 
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#Variables  in  CNF  after  Pre-processing 

Figure  2.2:  Comparing  number  of  variables  in  NNF  formulas  on  y-axis  and  num¬ 
ber  of  variables  in  pre-processed  CNF  formulas  on  x-axis. 


Figure  2.2.  The  CNF  formulas  were  pre-processed  using  SatELite  [75].  Observe 
that  pre-processing  is  able  to  reduce  the  number  of  variables  in  the  CNF  formulas 
significantly.  However,  on  majority  (>  70%)  of  benchmarks  the  CNF  form  still 
has  more  variables  than  NNF  form.  The  fewer  variables  in  the  NNF  form  (without 
any  pre-processing)  motivates  the  need  for  exploring  SAT  solving  techniques  that 
operate  on  NNF  directly. 

In  the  subsequent  sections  and  the  next  two  chapters  we  assume  that  the  input 
Boolean  formula/circuit  has  been  converted  to  a  NNF  formula.  Given  an  NNF 
formula  (f>  our  SAT  algorithms  check  the  satisfiability  of  (|)  without  introducing 
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Figure  2.3:  The  vhpform  for  the  formula  (((/>  V  q)  A  ->r  A  -><7)  V  (-17?  A  (rV^s)  A 
g)).  We  show  the  negation  of  a  variable  by  a  —  sign. 


any  more  new  variables. 


2.2  Vertical-Horizontal  Path  Form 

The  internal  representation  in  our  satisfiability  solver  is  NNF.  More  specifically, 
we  use  a  two-dimensional  representation  of  a  NNF  formula,  called  vertical-horizontal 
path  form  ( vhpform )  as  described  in  [30] 1 .  In  this  form  disjunctions  are  written 
horizontally  and  conjunctions  are  written  vertically.  For  example  Fig.  2.3  shows 
the  formula  <f»  =  (((7?  Vg)  A  ->r  A  ~>q)  V  (-17?  A  (rV  ~<s)  Aq))  in  vhpform.  We  define 
two  types  of  paths  in  the  vhpform  of  a  given  formula. 

Vertical  path:  A  vertical  path  through  a  vhpform  is  a  sequence  of  literals  in  the 
vhpform  that  results  by  choosing  either  the  left  or  the  right  scope  for  each  occur¬ 
rence  of  V.  For  the  vhpform  in  Fig.  2.3  the  set  of  vertical  paths  is  {(7?,  ->r,  ->q), 

'in  [30]  the  term  vertical  path  form  (vpform)  is  used  in  place  of  vertical-horizontal  path  form 
(vhpform).  We  use  vertical-horizontal  path  form  (vhpform)  to  emphasize  the  use  of  both  vertical 
and  horizontal  paths. 
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(■ q ,  ~^q) »  hp,  a  q) ,  hp,  q)}- 


Horizontal  path:  A  horizontal  path  through  a  vhpform  is  a  sequence  of  literals 
in  the  vhpform  that  results  by  choosing  either  the  upper  or  the  lower  scope  for 
each  occurrence  of  A.  For  the  vhpform  in  Fig.  2.3  the  set  of  horizontal  paths  is 

{(P,q,  AP) ,{p,q,  r,  -*) ,{p,q,q),  (t,  ~^p) ,  {~>r,  r,  -nS) ,  (-nr, q) ,  (-nq,  -np) ,  (-nq,  r,  -.s) , 

(~'q,q)}- 

Two  important  results  regarding  satisfiability  of  negation  normal  formulas 
from  [30]  are  given  below.  Let  F  be  a  formula  in  negation  normal  form  and 
let  o  be  an  assignment  (a  can  be  a  partial  assignment). 

Theorem  1  o  satisfies  F  iff  there  exists  a  vertical  path  P  in  the  vhpform  ofF  such 
that  a  satisfies  every  literal  in  P. 

Theorem  2  a  falsifies  F  iff  there  exists  a  horizontal  path  P  in  the  vhpform  of  F 
such  that  G  falsifies  every  literal  in  P. 

Example  1  The  vhpform  in  Fig.  2.3  has  a  vertical  path  (p,  -i r,  -> q)  whose  every 
literal  can  be  satisfied  by  an  assignment  o  that  sets  p  to  true  and  r.q  to  false.  It 
follows  from  Theorem  1  that  o  satisfies  cf).  Thus,  (])  is  satisfiable.  All  literals  in 
the  vertical  path  (q,  -nr,  -nq)  cannot  be  satisfied  simultaneously  by  any  assignment 
(due  to  opposite  literals  q  and  -nq). 

An  assignment  g'  that  sets  p,  r  to  true,  falsifies  every  literal  in  the  horizontal 
path  (~nr,  -np)  in  the  vhpform  of  (f).  Thus,  from  Theorem  2  it  follows  that  g'  falsifies 

4>- 
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Let  <FiP(§)  and  ^/7P((j))  denote  the  set  of  vertical  paths  and  the  set  of  horizontal 
paths  in  the  vhpform  of  a  given  formula  (|),  respectively.  We  use  /  e  n  to  denote 
the  occurrence  of  a  literal  l  in  a  vertical/horizontal  path  7t.  The  following  result 
from  [30]  states  that  the  set  of  vertical  paths  encodes  the  DNF  and  the  set  of 
horizontal  paths  encodes  the  CNF  of  a  given  formula. 

Theorem  3  Let  §  be  a  NNF  formula. 

(a)  §  is  equivalent  to  the  DNF  formula  f  2  {<. |>)  A  ie%l- 

(b)  (j)  is  equivalent  to  the  CNF  formula  A  V/r;jA- 

Our  SAT  algorithms  operate  on  graph  based  representations  of  the  vhpform  of 
a  given  formula.  We  describe  these  graph  based  representations  below. 

2.3  Graph  Based  Representations 

2.3.1  Graphical  Encoding  of  Vertical  Paths  (Vpgraph) 

A  graph  containing  all  vertical  paths  present  in  the  vhpform  of  a  NNF  formula  is 
called  a  vpgraph.  Given  a  NNF  formula  (]),  we  define  the  vpgraph  Gv(( [))  as  a  tuple 
(V,R,L,E,Lit),  where  V  is  the  set  of  nodes  corresponding  to  all  occurrences  of 
literals  in  (]),  R  C  V  is  a  set  of  root  nodes,  L  C  V  is  a  set  of  leaf  nodes,  E  C  V  x  V 
is  the  set  of  edges,  and  Lit(n)  denotes  the  literal  associated  with  node  n  £  V.  A 
node  n  e  R  has  no  incoming  edges  and  a  node  n  e  L  has  no  outgoing  edges. 

The  vpgraph  containing  all  vertical  paths  in  the  vhpform  of  Fig.  2.4(a)  is 
shown  in  Fig.  2.4(b).  For  the  vpgraph  in  Fig.  2.4(b),  we  have  V  =  (1,2, 3, 4, 5, 6, 7, 8}, 
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Figure  2.4:  (a)  The  vhpform  for  the  formula  (((p  V  q)  A  ->r  A  ->g)  V  (->p  A  (r  V 
-15)  A  <7))  (b)  the  corresponding  vpgraph. 


R  =  {1,2, 5},  L=  {4, 8},  ^  =  {(1,3), (2, 3), (3, 4), (5, 6), (5, 7),  (6, 8),  (7, 8)}  and 

for  each  nef,  Lit(n)  is  shown  inside  the  node  labeled  n  in  Fig.  2.4(b).  Each 
path  in  the  vpgraph  Gv  ((])),  starting  from  a  root  node  and  ending  at  a  leaf  node, 
corresponds  to  a  vertical  path  in  the  vhpform  of  (|>.  For  example,  path  (1,3,4)  in 
Fig.  2.4(b)  corresponds  to  the  vertical  path  (p,  — ir,  ->q)  in  Fig.  2.4(a)  (obtained  by 
replacing  node  n  on  path  by  Lit(n)).  Using  this  correspondence  one  can  see  that 
the  vpgraph  contains  all  vertical  paths  present  in  the  vhpform  shown  in  Fig.  2.4(a). 
Given  ([>,  we  can  construct  the  vpgraph  Gv(<|))  —  (V.R.L.E.Lit)  directly  without 
constructing  the  vhpform  of  (]).  This  is  done  inductively  as  follows: 

•  If  (|>  is  a  literal  /,  then  we  create  a  graph  containing  just  one  node  fv,  where  fv 
is  a  fresh  identifier  (node  number).  The  literal  stored  inside  fv  is  set  to  /. 

Gv(( f>)  =  ({fv},  {fv},  {/v},  0,  Lit)  and  Lit(fv)  —  /,  fv  is  a  fresh  identifier. 

•  If  4>  =  4>  1  V  (f>2,  then  the  vpgraph  for  (])  is  obtained  by  taking  the  union  of  the  vp- 
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graphs  of  (|)i  and  (>2-  Let  Gv(< |)i)  =  (V\,R\,L\,Ei,Lit\)  and  Gv(( >2)  =  (V2,R2, 
L2,E2,Lit2).  Then  Gv(4>)  is  the  union  of  Gv(4>i)  and  Gv ( <f>2 ) - 

Gv(<t>)  =  (L|  U  y2,^l  GR2,L\  UL2,£’i  U E2. Lit\  U Lit 2) 

•  If  <^  =  <^1  A  4>2,  then  the  vpgraph  for  (f»  is  obtained  by  concatenating  the  vpgraph 
of  4>i  with  the  vpgraph  of  (|)2-  Let  Gv (4>  1 )  =  (V\,R\,Li,Ei,Lit{)  and  Gv(4>2)  = 
(V2lR2,L2lE2,Lit2).  Then  Gv(4>)  contains  all  the  nodes  and  edges  in  Gv(<j>i) 
and  Gv(<\>2).  But  Gv(4>)  has  additional  edges  connecting  leaves  of  Gv(<]>i )  with 
the  roots  of  GT,  ( 4>2 )  -  The  set  of  additional  edges  is  denoted  as  L\  x  R2  below. 
The  set  of  roots  of  Gv(4>)  is  R\,  while  the  set  of  leaves  is  L2. 

Gv(4>)  =  (Vi  U  V2lRi,L2,Ei  U E2  U  (Li  x  R2),Lit\  U Lit2) 


2.3.2  Graphical  Encoding  of  Horizontal  Paths  (Hpgraph) 

A  graph  containing  all  horizontal  paths  present  in  the  vhpform  of  a  NNF  for¬ 
mula  is  called  a  hpgraph.  We  use  G /,(()))  to  denote  the  hpgraph  of  a  formula  (]). 
The  procedure  for  constructing  a  hpgraph  is  similar  to  the  above  procedure  for 
constructing  the  vpgraph.  The  difference  is  that  the  hpgraph  for  <f»  =  <f»i  A  <|)2  is 
obtained  by  taking  the  union  of  the  hpgraphs  for  4>i  and  c|>2  and  the  hpgraph  for 
<t»  =  4>i  V  (|)2  is  obtained  by  concatenating  the  hpgraphs  of  (f>i  and  4>2- 

The  hpgraph  containing  all  horizontal  paths  in  the  vhpform  in  Fig.  2.5(a)  is 
shown  in  Fig.  2.5(b).  For  the  hpgraph  in  Fig.  2.5(b),  we  have  V  =  {1,2, 3, 4, 5, 6, 7, 8}, 
R  =  {1,3, 4},  L=  {5, 7, 8}, L  =  {(1,2),  (2, 5),  (2, 6),  (2, 8),  (3, 5),  (3, 6),  (3, 8),  (4, 5), 
(4, 6),  (4, 8),  (6,7)}  and  for  each  n  e  V,  Lit(n)  is  shown  inside  the  node  labeled  n. 
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(a) 


(b) 


Figure  2.5:  (a)  The  vhpform  for  the  formula  (((/>  V  q)  A  ->r  A  ~>q)  V  (~<p  A  (r  V 
-15)  A#))  (b)  the  corresponding  hpgraph. 


It  can  be  shown  by  induction  that  the  vpgraph  and  hpgraph  of  a  NNF  formula 
are  directed  acyclic  graphs  (DAGs).  One  can  also  represent  vpgraph  and  hpgraph 
as  directed  series-parallel  graphs.  Series-parallel  graphs  have  been  widely  studied 
and  many  problems  that  are  NP-complete  for  general  graphs  can  be  solved  in 
linear  time  for  series-parallel  graphs  [135]. 

The  construction  of  vpgraph/hpgraph  can  be  done  in  Oik)  time/space  where  k 
is  the  size  of  the  given  NNF  formula.  We  refer  the  reader  to  appendix  A  for  more 
details. 

When  constructing  an  hpgraph/ vpgraph  from  a  NNF  formula  (f)  each  literal  in 
4>  gets  represented  as  a  new  node  in  the  hpgraph  and  vpgraph  of  (]).  We  assume  that 
the  node  number  corresponding  to  each  literal  /  in  cf)  is  the  same  in  the  hpgraph  and 
the  vpgraph  of  (]).  Thus,  the  set  of  nodes  in  the  hpgraph  and  vpgraph  are  identical. 

In  the  following  we  define  some  terms  that  will  be  used  in  the  next  two  chap- 
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ters.  When  the  distinction  between  G/,(( |))  and  Gv(( |))  is  not  required  we  drop  the 
subscripts  and  use  G(<f)) . 

2.3.3  Terminology 

Let  G((f>)  =  (V,R,L,E,Lit)  denote  a  vpgraph  or  a  hpgraph. 

Definition  1  A  path  n  =  (no,  ■  ■  ■  ,nf)  in  G(<f))  is  said  to  be  a  r-path  (rooted  path) 
iff  it  starts  with  a  root  node  (no  G  R).  Formally,  K  =  (no. . . .  .nf)  is  a  r-path  iff 
no  G  R  and  (n;-,n,+i)  G  E  for  all  0  <  i  <k. 

In  Fig.  2.4(b),  (2, 3)  is  a  r-path  while  (3,4)  is  not  a  r-path. 

Definition  2  A  path  K  =  (no, . . . ,  nf)  in  G(<|))  is  said  to  be  a  rl-path  iff  it  starts 
at  a  root  node  and  ends  at  a  leaf  node.  Formally,  71  =  (no, . . .  ,nf)  is  a  rl-path  iff 
no  G  R,  nk  G  L  and  (n;-,  n;+ 1)  G  E  for  all  0  <  i  <  k. 

In  Fig.  2.4(b),  both  (2,3,4),  (5,6,8)  are  rl-paths,  but  (3,4)  is  not  a  rl-path. 

There  is  a  one-to-one  correspondence  between  the  rl-paths  in  Gv(( \>)  and  the 
vertical  paths  in  the  vhpform  of  (f).  There  is  a  similar  one-to-one  correspondence 
between  the  rl-paths  in  G/7  (()))  and  the  horizontal  paths  in  the  vhpform  of  (f).  For  ex¬ 
ample,  path  (1,2, 6, 7)  in  Fig.  2.5(b)  corresponds  to  the  horizontal  path  (p,q,r,->s) 
in  Fig.  2.5(a).  The  following  corollary  adapts  Theorem  3  to  the  graphical  repre¬ 
sentations. 

Corollary  1  Let  7t  denote  an  rl-path  and  n  denote  a  node  on  71. 

(a)  (f)  is  equivalent  to  the  DNF  formula  VjieG.io)  l\iion^'it^n)- 

(b)  (f)  is  equivalent  to  the  CNF  formula  Ane  G/,(<|))  %Lit(n). 
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We  will  find  it  convenient  to  think  of  an  rl-path  7t  in  G/,(< j))  as  a  clause  \Jne7ZLit(n) 
in  the  CNF  representation  of  (|).  This  is  justified  by  the  above  corollary.  Similarly, 
one  can  think  of  an  rl-path  n  in  Gv(( f>)  as  a  term  (cube)  /\nenLit(n)  in  the  DNF 
representation  of  (]). 

2.4  Chapter  Summary 

We  presented  a  two-dimensional  representation  of  NNF  formulas  called  vertical- 
horizontal  path  form  (vhpform).  The  vhpform  of  an  NNF  formula  contains  verti¬ 
cal  and  horizontal  paths.  A  vertical  path  is  like  a  cube  (term)  in  the  DNF  repre¬ 
sentation  of  a  given  formula,  while  a  horizontal  path  is  like  a  clause  in  the  CNF 
representation  of  a  given  formula.  The  vpgraph  encodes  all  vertical  paths  and  the 
hpgraph  encodes  all  horizontal  paths.  Both  vpgraph  and  hpgraph  can  be  obtained 
in  linear  time  in  the  size  of  the  given  NNF  formula. 

Typical  Boolean  circuits  arising  in  practice  are  not  in  NNF  form.  Such  circuits 
can  be  converted  to  NNF  form  efficiently  by  introducing  new  variables.  The  NNF 
of  a  circuit  is  usually  more  succinct  than  the  (pre-processed)  CNF  of  the  circuit  in 
terms  of  number  of  variables. 
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Chapter  3 


General  Matings  based  SAT  Solver 


General  Matings  is  a  theorem  proving  technique  due  to  Andrews  [29].  It  is  closely 
related  to  the  Connection  method  discovered  independently  by  Bibel  [40].  Theo¬ 
rem  provers  based  on  these  techniques  have  been  used  successfully  in  higher  order 
theorem  proving  [21].  We  use  the  General  Matings  idea  to  build  a  SAT  solver  for 
satisfiability  problems  arising  in  practice. 

Theorem  1  (Section  2.2)  forms  the  basis  of  our  General  Matings  based  SAT 
solver  called  SatMate.  The  idea  is  to  check  the  satisfiability  of  a  given  NNF  for¬ 
mula  by  examining  the  vertical  paths  in  its  vpgraph.  At  a  high  level  our  search 
algorithm  enumerates  all  possible  vertical  paths  in  the  vpgraph  of  a  given  formula 
until  a  vertical  path  is  found  that  does  not  contain  two  opposite  literals.  If  such  a 
path  is  found  the  given  formula  is  satisfiable.  If  every  vertical  path  contains  two 
opposite  literals,  then  the  given  formula  is  unsatisfiable.  The  number  of  vertical 
paths  can  be  exponential  in  the  size  of  a  given  formula.  Thus,  the  key  challenge  in 
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obtaining  an  efficient  SAT  solver  based  on  this  method  is  to  prevent  the  enumer¬ 
ation  of  vertical  paths  as  much  as  possible.  We  develop  several  new  techniques 
for  preventing  the  enumeration  of  vertical  paths.  Our  contributions  can  be  sum¬ 
marized  as  follows. 


3.1  Contributions 

•  Our  solver  employs  a  combination  of  both  vertical  and  horizontal  path  explo¬ 
ration  for  efficient  SAT  solving.  The  choice  of  which  variable  to  assign  next 
(i decision  making )  is  made  using  the  vertical  paths,  which  are  similar  to  the 
terms  (conjunction  of  literals)  in  the  DNF  of  a  given  formula.  Conflict  detec¬ 
tion  is  aided  by  the  use  of  horizontal  paths,  which  are  similar  to  the  clauses 
(disjunction  of  literals)  in  the  CNF  of  a  given  formula. 

•  We  show  how  to  adapt  the  techniques  found  in  the  current  state-of-the-art  SAT 
solvers  to  our  algorithm.  We  describe  how  to  perform  search  space  pruning, 
conflict  driven  learning,  and  non-chronological  backtracking  by  using  the  ver¬ 
tical  paths  and  horizontal  paths  in  the  vhpform  of  a  given  formula. 

3.2  Preliminaries 

Let  G(( ]))  =  (V,R,L,E,Lit)  denote  a  vpgraph  or  hpgraph. 

Definition  3  Two  nodes  «i,«2  £  V  are  said  to  be  conflicting  iff  Lit  (n\)  =  ->Lit(ri2). 

In  the  vpgraph  shown  in  Fig.  3.1(a),  nodes  2,4  are  conflicting. 
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Figure  3.1:  (a)  The  vpgraph  for  (((p V q)  A  ->r  A  ->q)  V(-ipA(rV  -tf)  A  <7))  (b)  the 
corresponding  hpgraph. 


Definition  4  We  say  an  assignment  o  satisfies  (falsifies)  a  node  n  eV  iff  a  satis¬ 
fies  (falsifies)  Lit(n). 

An  assignment  that  sets  q  to  true  satisfies  nodes  2,  8  and  falsifies  node  4  in 
Fig.  3.1(a). 

Definition  5  We  say  an  assignment  o  satisfies  (falsifies)  a  path  71  G  G(<|>)  iff  o 
satisfies  (falsifies)  every  node  on  7t. 

For  example,  in  Fig.  3.1(a)  path  (5,6,8)  is  satisfied  by  an  assignment  which  sets 
p  to  false  and  r.q  to  true.  The  same  path  is  falsified  by  an  assignment  which  sets 
p  to  true  and  r,  q  to  false. 

Definition  6  We  say  that  a  path  n  E  G  is  satisfiable  iff  there  exists  an  assignment 
which  satisfies  n. 
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In  Fig.  3.1(a),  path  (5,6,8)  is  satisfiable,  while  the  path  (2,3,4)  is  not  satisfiable 
due  to  conflicting  nodes  2,4. 

Recall,  that  an  rl-path  in  a  vpgraph  Gv(<|))  corresponds  to  a  vertical  path  in  the 
vhpform  of  (|>.  Similarly,  an  rl-path  in  a  hpgraph  G/,(( |>)  corresponds  to  a  horizontal 
path  in  the  vhpform  of  <f».  The  following  corollaries  adapt  Theorem  1  and  Theorem 
2  (Section  2.2)  to  the  graph  representations  of  the  vhpform  of  a  given  formula  4>. 

Corollary  2  An  assignment  o  satisfies  (|)  iff  there  exists  a  rl-path  K  in  Gv(4>)  such 
that  o  satisfies  tl. 

Corollary  3  An  assignment  o  falsifies  (|)  iff  there  exists  a  rl-path  71  in  G/,(( |))  such 
that  G  falsifies  7t. 

The  following  corollary  is  a  re-statement  of  corollary  2. 

Corollary  4  (])  is  satisfiable  iff  there  exists  a  rl-path  tl  in  Gv(4>)  which  is  satisfiable. 

The  following  corollary  connects  the  notion  of  conflicting  nodes  with  the  satisfia¬ 
bility  of  a  path. 

Corollary  5  A  path  n  in  G((f>)  is  satisfiable  iff  no  two  nodes  on  K  are  conflicting. 

Discovery  of  unit  literals  from  hpgraph:  Modern  SAT  solvers  operating  on 
a  CNF  representation  employ  a  unit  literal  rule  for  efficient  Boolean  constraint 
propagation.  The  unit  literal  rule  states  that  if  all  but  one  literal  of  a  clause  are 
set  to  false,  then  the  un-assigned  literal  in  the  clause  must  be  set  to  true  under  the 
current  assignment.  In  our  context  the  input  formula  is  not  necessarily  represented 
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in  CNF,  however,  it  is  still  possible  to  obtain  the  unit  literal  rule  via  the  use  of  the 
hpgraph  of  a  given  formula.  The  following  claim  states  the  unit  literal  rule  for  the 
non-clausal  formulas. 

Corollary  6  If  an  assignment  a  falsifies  all  but  one  node  (say  n)  on  an  rl-path  Jt 
in  G/dfi)  and  Lit(n)  is  not  already  assigned  by  O,  then  Lit(n)  must  be  set  to  true 
under  the  current  assignment  o  in  order  to  obtain  a  satisfying  assignment. 

Intuitively,  each  rl-path  in  the  hpgraph  corresponds  to  a  clause  in  the  CNF  of  a 
given  formula  (Corollary  1  (b)).  Thus,  at  least  one  literal  from  each  rl-path  in 
G/,((|))  must  be  satisfied  in  order  to  obtain  a  satisfying  assignment. 

Example  2  Consider  the  hpgraph  shown  in  Fig.  3.1  (b)  and  an  assignment  a  which 
sets  p,q  to  false  and  s  to  true,  o  falsifies  all  but  node  6  on  the  rl-path  (1,2, 6,7)  in 
the  hpgraph.  It  follows  from  Corollary  6  that  Lit (6)  which  is  r  must  be  set  to  true 
under  o. 

We  give  a  high  level  description  of  our  General  Matings  based  solver  called 
SatMate  below. 


3.3  Top  Level  Algorithm  Used  in  SatMate 

In  order  to  check  the  satisfiability  of  a  NNF  formula  <f>,  we  obtain  a  vpgraph  Gv(<|)). 
From  Corollary  4  it  follows  that  (])  is  satisfiable  iff  Gv((|))  has  a  satisfiable  rl-path. 
At  a  high  level  our  search  algorithm  enumerates  all  possible  rl-paths  until  a  satis¬ 
fiable  rl-path  is  found.  If  no  satisfiable  rl-path  is  found,  then  (j)  is  unsatisfiable.  For 
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DNF  (or  DNF-like)  formulas  the  number  of  rl-paths  in  vpgraph  is  small,  linear 
in  the  size  of  the  formula,  and  therefore  the  basic  search  algorithm  is  efficient. 
However,  for  formulas  that  are  not  in  DNF  form,  the  algorithm  of  just  enumerat¬ 
ing  all  rl-paths  in  Gv((|))  does  not  scale.  We  have  adapted  several  techniques  found 
in  modern  SAT  solvers  such  as  search  space  pruning,  conflict  driven  learning, 
non-chronological  backtracking  to  make  the  search  efficient. 


Algorithm  3.1  Searching  a  vpgraph  for  a  satisfiable  rl-path. 

Input:  vpgraph  Gv(<|))  =  (V,R,L,E ,Lit)  andhpgraph  G/,(( f>)  =  (V' ,Rf .Lf.  E' . Lit') 
Output:  If  Gv(4>)  has  a  satisfiable  rl-path  return  SAT,  else  return  UNSAT 
1:  st  < —  R  {push  all  roots  in  Gv(< f>)  on  stack  st} 

2:  o  < —  0  {initial  truth  assignment  is  empty} 

3:  Wn  e  V  :  mrk(n)  <—  false  {all  nodes  are  un-marked  to  start  with} 

4:  while  (st  0)  {stack  st  is  not  empty}  do 
5:  m  <—  st.topQ  {top  element  of  stack  st } 

6:  if  (mrk(m)  =  false )  {can  we  extend  current  r-path  CRP  with  m}  then 

7:  if  (prune()  =  conflict)  {check  if  taking  m  causes  conflict}  then 

8:  learn()  {compute  reason  for  conflict  and  learn} 

9:  backtrack()  {non-chronological  backtracking} 

10:  continue  {goto  while  loop  (line  4)} 

11:  end  if 

12:  mrk(m)  true  {extend  current  satisfiable  r-path  with  m} 

13:  o  < —  o  U  {Lit(m)}  {add  Lit(m)  to  current  assignment} 

14:  if  (m  G  L)  {node  m  is  a  leaf}  then 

15:  return  SAT  {we  found  a  satisfiable  rl-path  in  Gv((|))} 

16:  else 

17:  push  all  children  of  m  on  st  {extend  CRP  (m)  to  reach  a  leaf} 

18:  end  if 

19:  else 

20:  backtrack  ()  {non-chronological  backtracking} 

21:  end  if 

22:  end  while 

23:  return  UNSAT  {no  satisfiable  rl-path  exists  in  Gv(4>) } 
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The  high  level  description  of  the  solver  is  given  in  Algorithm  3.1.  The  in¬ 
put  to  the  algorithm  is  a  vpgraph  Gv(<]))  =  (V,R,L,E ,Lit)  and  a  hpgraph  G/,(( |))  = 
(V' ,R' ,L' ,E' ,Lit')  corresponding  to  a  formula  (|>.  If  Gv(4>)  contains  a  satisfiable 
rl-path,  then  the  algorithm  returns  SAT  as  the  answer.  Otherwise,  <[>  is  unsatisfi- 
able  and  the  algorithm  returns  UNSAT.  The  algorithm  uses  the  hpgraph  G* (<f»)  in 
various  sub-routines  such  as  prune  and  learn.  The  following  data  structures 
are  used: 

•  st  is  a  stack.  It  stores  a  subset  of  nodes  from  V  that  need  to  be  explored  when 
searching  for  a  satisfiable  rl-path  in  Gv(<|)).  Initially,  the  roots  in  Gv(4>)  are 
pushed  on  the  stack  st  (line  1).  Let  st.topQ  return  the  top  element  of  st.  We 
write  st  as  [no, . . . .«/,-]  where  the  top  element  is  «/f  and  the  bottom  element  is 
no- 

•  o  stores  the  current  truth  assignment  as  a  set.  Each  element  of  o  is  a  literal 
which  is  true  under  the  current  assignment.  For  example,  an  assignment  with 
sets  variables  a,b  to  true  and  c  to  false  will  be  denoted  as  {a,b,-<c}.  The 
algorithm  ensures  that  a  is  consistent,  that  is,  it  does  not  contain  contradictory 
literals  of  the  form  /  and  ->/.  Initially,  o  is  the  empty  set  (line  2). 

•  mrk  maps  a  node  in  V  to  a  Boolean  value.  It  identifies  an  r-path  in  Gv(<|>) 
which  is  currently  being  considered  by  the  algorithm  to  obtain  a  satisfiable 
rl-path  (see  Fig.  3.3(a)).  We  refer  to  this  r-path  as  the  current  r-path  (CRP 
for  short).  Intuitively,  mrk(n)  is  true  for  nodes  that  lie  on  the  CRP  in  e  CRP) 
and  false  for  all  other  nodes  in  Gv(< |)).  More  precisely,  the  CRP  is  obtained 
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Figure  3.2:  The  vpgraph  for  formula  (a  V  c)  A  (b  V  -*a)  A  (~>a  V  -ic). 

by  removing  every  node  n  from  the  stack  st  for  which  mrk(n )  is  false.  The 
remaining  nodes  constitute  the  CRP.  Initially,  mrk(n )  is  set  to  false  for  every 
node  n  (line  3),  thus,  CRP  is  empty. 

Example  3  The  vpgraph  for  the  formula  §  —  (a  V  c)  A  (b  V  ~>a)  A  (->a  V  ->c)  is 
shown  in  Fig.  3.2.  Initially,  we  have  st  as  [2, 1]  where  the  top  element  of  the 
stack  is  1,  o  =  0,  mrk(n )  =  false  for  all  n  G  (1,2, 3, 4, 5, 6}.  Suppose  during  the 
execution  of  the  algorithm  we  have  st  as  [2, 1,4, 3, 6, 5],  and  mrk(  1  ').mrk(3')  are 
true  and  mrk(n)  —  false  for  n  e  (2, 4, 5, 6}.  Thus,  CRP  is  (1,3).  Observe  that 
CRP  is  an  r-path.  Intuitively,  the  algorithm  tries  to  extend  CRP  by  one  node  at 
a  time,  to  obtain  a  satisfiable  rl-path.  In  this  case  CRP  can  be  extended  to  obtain 
two  rl-paths  Tti  =  (1,3,5)  or  n 2  —  (1,3,6).  However,  only  JI2  is  satisfiable  (by 
o  =  {a,b,  -ic})  and  is  enough  to  show  that  <f)  is  satisfiable. 

The  main  part  of  the  algorithm  is  the  while  loop  (lines  4-22)  which  executes 
as  long  as  st  is  not  empty  and  the  algorithm  has  not  returned  SAT  on  line  15.  The 
algorithm  maintains  the  following  loop  invariant. 

Loop  invariant:  At  the  beginning  of  iteration  number  i  of  the  while  loop: 
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Figure  3.3:  (a)  Current  r-path  or  CRP  in  a  vpgraph  (b)  Can  CRP  be  extended  by 
node  ml  (c)  Backtracking  from  node  m. 


let  the  current  r-path  (CRP)  be  (no Then  the  assignment  o  is  equal  to 
{Lit[rij)\nj  6  CRP}.  That  is,  o  satisfies  each  node  on  CRP  and  thus,  o  satisfies 
CRP.  For  example,  suppose  CRP  is  (1,3)  in  the  vpgraph  shown  in  Fig.  3.2,  then  o 
will  be  {a,b}. 

If  st  is  not  empty,  then  the  top  element  of  the  stack  (denoted  by  m)  is  consid¬ 
ered  in  line  5.  There  are  two  possibilities  for  node  m  according  to  the  i  f  statement 
in  line  6. 

•  mrk(m)  is  false  :  In  this  case  the  algorithm  checks  if  the  current  r-path  CRP 
can  be  extended  by  node  m  as  shown  in  Fig.  3.3(b).  This  check  is  carried  out  by 
a  call  to  prune  (line  7).  If  prune  returns  conf  lict,  then  the  current  r-path 
extended  by  node  m  cannot  lead  to  a  satisfiable  rl-path.  Thus,  the  solver  needs  to 
backtrack  from  node  m,  and  if  possible  extend  CRP  by  some  other  node.  This  is 
done  by  calling  backtrack  on  line  9  and  going  back  to  while  loop  (line  4) 
by  using  continue  (line  10).  Before  backtracking  a  call  to  learn  (line  8) 
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is  made  which  summarizes  the  reason  for  the  conflict  when  CRP  is  extended  by 
m.  This  reason  is  learned  in  form  of  a  clause  and  is  used  later  to  avoid  similar 
conflicts.  We  denote  CRP  concatenated  with  m  as  CRP(m).  Depending  upon  the 
reason  why  there  is  no  satisfiable  rl-path  with  CRP(m)  as  prefix,  the  backtrack 
routine  can  pop  several  nodes  from  st  (non-chronological  backtracking)  instead  of 
just  popping  m  from  st. 

If  a  call  to  prune  results  in  no-conflict  (line  7),  then  m  can  extend  CRP. 
In  this  case  execution  reaches  line  12.  At  line  12  mrk(m)  is  set  to  true,  which 
means  that  the  new  current  r-path  is  CRP  concatenated  with  m,  that  is,  CRP(m). 
The  algorithm  maintains  the  loop  invariant  that  the  assignment  o  satisfies  the  cur¬ 
rent  r-path.  In  order  to  maintain  this  invariant  o  now  needs  to  satisfy  node  m 
which  is  on  the  current  r-path  CRP(m).  This  is  done  by  adding  Lit(m)  to  o  (line 
13).  If  m  is  a  leaf  in  the  vpgraph,  then  CRP(m)  is  a  satisfiable  rl-path.  In  this  case 
SAT  is  returned  (lines  14-15).  If  m  is  not  a  leaf,  then  the  children  of  m  are  pushed 
on  the  stack  (line  17).  The  algorithm  will  next  attempt  to  extend  the  current  r-path 
CRP  (m). 

•  mrk(m)  is  true :  This  happens  when  the  current  r-path  is  of  the  form  (no, ... , «/..  in) 
Intuitively,  the  algorithm  has  explored  all  possible  rl-paths  with  (no, . . .  .n^.ni)  as 
prefix,  but  none  of  them  leads  to  a  satisfiable  rl-path  as  shown  in  Fig.  3.3(c).  The 
algorithm  now  backtracks  from  node  m  by  calling  backtrack  on  line  20  .  De¬ 
pending  upon  the  reason  why  there  is  no  satisfiable  rl-path  with  (no, . . .  .n^.m)  as 
prefix,  the  algorithm  can  pop  several  nodes  from  st  instead  of  just  popping  m. 

For  each  node  n  removed  from  the  stack  during  backtracking  (lines  9,  20) 
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mrk(n )  is  set  to  false  again.  This  enables  the  removed  nodes  to  be  examined  again 
on  rl-paths  which  have  not  yet  been  explored. 

We  discuss  the  routines  prune,  learn,  and  backtrack  in  the  following 
sections. 


3.4  Search  Space  Pruning 

This  section  describes  the  procedure  prune  called  in  the  non-clausal  SAT  algo¬ 
rithm  shown  in  Algorithm  3.1  (line  7).  A  call  to  prune  checks  if  the  current 
r-path  CRP  can  be  extended  by  node  m  or  not,  as  shown  in  Fig.  3.3(b).  Intu¬ 
itively,  prune  returns  conflict  if  there  cannot  be  a  satisfiable  rl-path  in  vp- 
graph  Gv(( |))  with  CRP  (m)  as  prefix.  When  prune  is  called,  the  current  r-path 
CRP  is  satisfied  by  assignment  a,  which  is  equal  to  {Lit(n)  \n  £  CRP}  (maintained 
as  a  while  loop  invariant  in  the  top  level  algorithm  shown  in  Algorithm  3.1). 
The  three  cases  when  conflict  is  returned  are  as  follows: 

Case  1:  When  CRP(m)  is  not  satisfiable.  This  happens  when  there  is  a  node  n 
on  CRP  such  that  Lit(n)  —  -> In  this  case  no  assignment  can  satisfy  the 
r-path  CRP(m)  (Corollary  5).  For  example,  in  the  vpgraph  shown  in  Fig.  3.4(a) 
this  conflict  arises  when  the  CRP  is  (1,3)  and  m  is  node  5. 

Otherwise,  CRP(m)  is  satisfiable  and  o'  —  o  U  {Lit(m)}  satisfies  CRP(m). 
However,  it  is  still  possible  that  there  is  no  satisfiable  rl-path  in  Gv(<|))  with  CRP  (m) 
as  prefix.  These  cases  are  described  below. 
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Figure  3.4:  (a)  Vpgraph  for  formula  {a  Vc)  A  (bV ->a)  A  (~>a  V->c).  (b,c)  Vpgraph 
and  Hpgraph  for  formula  (a  V  c)  A  ( (b  A  u)  V  ( d  A  v))  A  (->a  V  -■&),  respectively  (d) 
Vpgraph  for  formula  {a  Vc)  A  ((b  A  u  A  (->a  V  -V?))  V  (J  A  v)). 

Case  2  (Global  conflict):  When  o'  falsifies  4>.  In  this  case  we  claim  that  there 
is  no  satisfiable  rl-path  in  Gv((|))  with  CRP  (m)  as  a  prefix.  We  prove  this  claim 
by  contradiction.  Assume  that  there  is  an  rl-path  n  in  Gv(<|))  which  has  CRP(m) 
as  prefix  and  is  satisfiable.  By  definition  there  exists  an  assignment  o"  which 
satisfies  n.  From  Corollary  2  we  know  that  o"  satisfies  (|).  In  order  to  satisfy  n,  a " 
must  satisfy  CRP(m).  That  is,  a"  must  contain  Lit(n)  for  every  n  €  CRP(m).  Since 
o'  =  {Lit(n)\n  G  CRP (/»)},  it  follows  that  o'  C  o".  But  o'  falsifies  (|)  and  hence  o" 
must  falsify  <[>.  This  leads  to  a  contradiction. 


Example  4  In  Fig.  3.4(b)  vpgraph  for  formula  (f>  :=  (a  Vc)  A  ((bAu)  V  (d  Av))  A 
(-i a  V  ->b)  is  given.  Consider  the  case  when  CRP  is  (1)  and  o  =  {a}.  The  al¬ 
gorithm  checks  if  CRP  can  be  extended  by  node  3  ( m  =  3).  Using  our  notation 
o'  =  {a,b}.  Observe  that  o'  falsifies  (|)  by  substituting  a  —  true,b  —  true  in  (]). 
There  are  two  rl-paths  :=  (1,3, 5, 7), %2  ■—  (1,3, 5, 8)  in  the  vpgraph  shown  in 
Fig.  3.4(b)  which  have  (1,3)  as  prefix.  Neither  of  these  rl-paths  is  satisfiable: 
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Hi  is  not  satisfiable  due  to  conflicting  nodes  1,  7  and  712  is  not  satisfiable  due  to 
conflicting  nodes  3,  8. 

Detection  of  a  global  conflict:  We  use  Corollary  3  to  check  if  o'  falsifies  (]).  We 
check  if  there  is  an  rl-path  n  in  G/,(( |))  such  that  o'  falsifies  K.  Continuing  the 
above  example,  the  hpgraph  corresponding  to  (])  is  shown  in  Fig.  3.4(c).  Observe 
that  o'  =  {a,b}  falsifies  the  rl-path  (7,8)  in  Fig.  3.4(c).  Thus,  using  Corollary  3, 
it  follows  that  o'  falsifies  (|). 

If  there  is  no  global  conflict,  then  the  set  of  implied  assignments  can  be  found 
by  the  application  of  unit  literal  rule  on  G/,(( ]))  as  described  in  Corollary  6. 

Case  3  (Local  conflict):  This  conflict  arises  when  every  rl-path  in  Gv(( [))  with 
CRP  (m)  as  prefix  contains  two  nodes  which  are  conflicting  and  one  of  the  conflict¬ 
ing  nodes  lies  on  CRP(m).  Formally,  this  conflict  arises  when  for  every  rl-path  n 
in  Gv(4>)  with  CRP(m)  as  prefix  there  exist  two  nodes  k.l  and  k  e  CRP(m)  such 
that  Lit(k)  —  ~^Lit(l).  From  Corollary  5,  it  follows  that  any  rl-path  7t  containing 
conflicting  nodes  is  not  satisfiable.  Thus,  when  a  local  conflict  occurs  no  rl-path 
in  Gv(<]))  with  CRP  (in)  as  prefix  is  satisfiable.  Whenever  there  is  a  global  conflict 
(case  2  above)  there  is  also  a  local  conflict,  however,  the  reverse  need  not  hold  as 
shown  by  the  example  below. 

Example  5  In  Fig.  3.4(d)  the  vpgraph  for  formula  c|>  :=  (a  V  c)  A  {{b  A  u  A  (->a  V 
-1  b))  V  (d  A  v))  is  shown.  Consider  the  case  when  CRP  is  (1)  and  m  is  node  3  (m  = 
3).  Using  our  earlier  notation  o'  =  {a,b}.  Note  that  o'  does  not  falsify  (|),  which 
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means  there  is  no  global  conflict.  There  are  two  rl-paths  (1,3, 5, 7),  (1,3, 5, 8}  in 
the  vpgraph  shown  in  Fig.  3.4(d)  which  have  (1,3)  as  prefix.  Both  of  these  rl- 
paths  contain  two  conflicting  nodes,  nodes  1,7  are  conflicting  on  (1,3, 5, 7)  and 
nodes  3,8  are  conflicting  on  (1,3, 5, 8).  Thus,  there  is  a  local  conflict  and  the 
solver  needs  to  backtrack  from  node  m  =  3. 

Detection  of  global  and  local  conflicts  can  be  done  in  linear  time  in  the  size 
of  vpgraph/hpgraph  as  described  in  the  appendix  B.  Depending  upon  the  type  of 
conflict  (global  or  local)  we  perform  global  or  local  learning  as  described  below. 

3.5  Learning 

Learning  records  the  cause  of  a  conflict.  This  enables  the  preemption  of  similar 
conflicts  later  on  in  the  search.  In  the  following,  a  clause  will  refer  to  a  disjunction 
of  literals.  A  clause  C  is  conflicting  under  an  assignment  o  iff  all  literals  in  C  are 
falsified  by  o.  If  a  clause  C  is  not  conflicting  under  an  assignment  a,  we  say  C  is 
consistent  under  o.  We  distinguish  between  two  types  of  learning: 

Global  learning:  A  globally  learned  clause  is  a  clause  whose  consistency  must 
be  maintained  irrespective  of  the  current  search  state,  which  is  given  by  the  current 
r-path  CRP  (and  assignment  o  =  {Lit(n)\n  e  CRP}).  That  is,  whenever  a  globally 
learned  clause  becomes  conflicting  under  o  the  solver  abandons  the  current  search 
state  and  backtracks.  A  globally  learned  clause  is  generated  from  a  conflicting 
clause.  A  conflicting  clause  C  arises  in  two  cases  as  described  below. 
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Figure  3.5:  Hpgraph  for  formula  (a  Vc)  A  ((b  Aw)  V  (d  A  v))  A  (->aV  ->£>). 

1.  When  analyzing  global  conflicts  as  described  in  the  previous  section.  When 
a  global  conflict  occurs  there  is  an  rl-path  n  in  hpgraph  G/,(( |))  which  is  fal¬ 
sified  by  the  assignment  o  currently  under  consideration.  The  set  of  literals 
corresponding  to  the  nodes  on  n  gives  us  a  clause  C  :=  \J ne%{Lit{n)).  Ob¬ 
serve  that  C  is  a  conflicting  clause,  that  is,  all  literals  occurring  in  C  are  set 
to  false  under  the  current  assignment. 

Example  6  The  hpgraph  corresponding  to  <|) :  =  (a  V  c)  A  ( (b  A  u)  V  (d  A  v) )  A 
(-ia  V  -ib)  is  shown  in  Fig.  3.5.  A  global  conflict  occurs  when  the  current 
assignment  is  o  =  {a,b},  that  is,  o  falsifies  (f>.  In  this  case  the  rl-path  in 
the  hpgraph  which  is  falsified  by  o  is  (7,8).  Thus  the  required  conflicting 
clause  is  ->a  V  -ib. 

2.  When  all  literals  of  an  existing  globally  learned  clause  C  become  false. 

Once  a  conflicting  clause  C  is  obtained,  we  perform  a  1-UIP  (first  unique  impli¬ 
cation  point)  analysis  [148]  to  obtain  a  learned  clause  C' .  Clause  C'  is  added  to 
the  database  of  globally  learned  clauses.  In  order  to  perform  1-UIP  analysis  we 
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Figure  3.6:  Vpgraph  for  formula  (a  Vc)  A  ((b  Au  A  (->a  V  -> b))  V  (d  A  v)). 


maintain  a  notion  of  a  decision  level.  We  associate  a  decision  level  dec(n)  with 
each  node  n  in  the  current  r-path  CRP.  We  also  maintain  a  set  of  implied  literals  at 
each  node  (or  decision  level)  along  with  the  reason  (set  of  variable  assignments) 
which  led  to  the  implication.  We  follow  the  same  algorithm  as  in  [148]  to  perform 
the  1-UIP  learning. 

Local  learning:  A  locally  learned  clause  is  associated  to  a  node  n  in  the  vpgraph 
when  a  local  conflict  occurs  at  n.  Suppose  C  is  a  locally  learned  clause  at  node  n. 
Then  the  consistency  of  C  needs  to  be  maintained  only  when  n  is  part  of  the  current 
search  state,  that  is,  n  £  CRP.  If  n  does  not  lie  on  CRP,  then  the  consistency  of  C  is 
irrelevant.  This  is  in  contrast  to  a  globally  learned  clause  whose  consistency  must 
always  be  maintained. 

Example  7  Consider  the  local  conflict  which  occurs  in  the  vpgraph  in  Fig.  3.6 
when  CRP  is  (1)  and  it  is  checked  if  CRP  can  be  extended  by  m  =  3.  In  this  case 
every  rl-path  in  vpgraph  with  (1,3)  as  prefix  contains  two  conflicting  nodes  one 
of  which  lies  on  (1,3).  The  rl-path  (1,3, 5, 7)  has  conflicting  nodes  1,7  and  the  rl- 


48 


path  (1,3, 5, 8)  has  conflicting  nodes  3,8.  In  this  case  a  clause  Lit (7)  V Lit( 8)  = 
-i a  V  -ib  can  be  learned  at  node  3.  Intuitively,  when  we  consider  extending  the 
CRP  with  node  m  the  (locally)  learned  clauses  at  node  m  must  be  consistent  with 
the  assignment  o  =  {Lit{n)\n  G  CRP(m)}.  Otherwise,  a  local  conflict  will  occur 
at  m  causing  the  solver  to  backtrack.  Having  learned  clauses  at  node  m  avoids 
repeating  the  work  done  in  detecting  the  same  local  conflict.  For  the  vpgraph  in 
Fig.  3.6,  when  CRP  is  (2)  and  m  —  3,  o  =  {c,b}  is  consistent  with  the  learned 
clause  -ia  V  ->b  at  node  3,  thus,  the  solver  cannot  get  the  same  local  conflict  at 
node  3  as  before  (when  CRP  was  (1)  and  m  =  3). 

If  a  local  conflict  occurs  when  extending  CRP  by  node  m,  then  a  clause  is  learned 
at  node  m  as  follows:  For  each  rl-path  n  having  CRP(m)  as  prefix  let  C0i  (7t) ,  0)2(71) 
denote  the  pair  of  conflicting  nodes  on  n.  Without  loss  of  generality  assume 
that  C0i  (7c)  lies  on  CRP  (in).  Then  the  learned  clause  C  at  node  m  is  given  by 
\JK  Lit  (0)2(71)).  Consistency  of  C  must  be  maintained  only  when  considering  rl- 
paths  passing  through  m. 

3.6  Non-chronological  Backtracking 

Analyzing  conflicts  to  determine  their  causes  enables  modem  SAT  solvers  to 
backtrack  non-chronologiccilly  to  earlier  levels  in  the  search  tree,  potentially  prun¬ 
ing  large  portions  of  the  search  space.  This  technique  is  also  applicable  in  our  SAT 
procedure.  The  backtracking  routine  called  in  our  SAT  procedure  depends  on  the 
type  of  conflict  that  invoked  the  backtracking  procedure: 
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Figure  3.7:  Non-chronological  backtracking  example. 


Non-chronological  backtracking  on  a  global  conflict:  When  a  global  conflict 
occurs  the  solver  calls  a  backtracking  procedure  similar  to  that  in  CNF  SAT 
solvers.  Suppose  a  global  conflict  occurs  when  the  solver  attempts  to  extend 
the  CRP  with  node  m.  In  this  case  the  learning  procedure  produces  an  assert¬ 
ing  clause  [148]  C.  That  is,  only  one  literal  in  C  called  the  asserting  literal  al(C) 
is  assigned  at  the  current  decision  level  (corresponding  to  node  m ),  and  remain¬ 
ing  literals  were  assigned  at  earlier  decision  levels  (corresponding  to  nodes  on 
CRP).  The  solver  identifies  the  highest  decision  level  maxd(C )  among  the  literals 
of  C  \  {al  (C) } .  The  solver  backtracks  to  the  node  m'  corresponding  to  the  decision 
level  maxd(C).  At  m'  the  clause  C  becomes  a  unit  clause  and  al(C)  is  set  to  true. 
The  search  proceeds  from  m'  onwards. 


Non-chronological  backtracking  on  a  local  conflict:  When  a  local  conflict 
occurs  the  solver  backtracks  non-chronologically  by  analyzing  the  structure  of 
the  vpgraph  and  the  conflict  clause  produced  due  to  local  conflict. 
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Example  8  Consider  the  vpgraph  shown  in  Fig.  3.7(a).  Let  CRP  be  (1,2, 3, 5) 
and  the  solver  examines  if  CRP  can  be  extended  by  node  7.  Suppose  a  local 
conflict  occurs  at  node  7  and  a  clause  -> a  V  V  ->c  is  learned  at  node  7.  Assume 
that  all  the  paths  starting  from  nodes  2,  3,  4,  5,  6  pass  through  node  7.  This 
conflict  can  be  resolved  only  if  we  backtrack  to  the  nodes  containing  literal  a  or 
literal  b  (assuming  c  was  assigned  at  node  7).  Since  node  2  comes  later  on  CRP, 
our  algorithm  backtracks  to  node  2.  Note  that  backtracking  prevents  us  from 
examining  rl-paths  such  as  (1,2, 3,6,7, ...),  (1,2, 4,5,7, ...),  (1, 2, 4,6,7, .. .)  all 
of  which  would  lead  to  the  same  conflict  at  node  7.  The  suffix  of  CRP  starting 
from  node  2  onwards  is  removed.  The  search  procedure  attempts  to  extend  CRP 
(1)  with  other  unexamined  successors  of  node  1.  In  this  case  there  is  no  other 
unexamined  successor  of  node  1,  so  the  solver  backtracks  from  node  1  to  return 
unsatisfiable  answer. 

Now  consider  a  variation  of  Fig.  3.7(a)  in  Fig.  3.7(b).  Node  6  has  an  outgoing 
path  that  does  not  pass  through  node  7.  As  before,  a  local  conflict  occurs  at  node  7. 
However,  now  instead  of  backtracking  to  node  2  our  algorithm  backtracks  to  node 
6.  This  is  because  there  are  alternative  rl-paths  such  as  (1, 2, 3, 6, . . .),  (1, 2,4, 6, . . .) 
through  node  6  which  could  be  satisfiable. 


3.7  Decision  Heuristics 

In  modem  DPLL -based  SAT  solvers  decision  heuristics  play  an  important  role  in 
pruning  the  search  space  by  identifying  the  variables  to  be  assigned  next.  In  our 


51 


algorithm  decision  heuristics  are  used  to  decide  the  order  in  which  the  children 
of  the  last  node  on  the  CRP  will  be  examined.  More  precisely,  we  use  decision 
heuristics  when  pushing  the  children  of  m  on  the  stack  (Algorithm  3.1,  line  17). 
The  children  near  the  end  of  stack  get  examined  before  the  other  children  on  the 
stack. 

Some  of  our  decision  heuristics  make  use  of  literal  activity.  The  activity  of  a 
literal  indicates  its  usefulness  (participation)  in  conflicts  so  far.  It  is  updated  in  a 
similar  manner  as  in  zChaff  [117].  The  activity  n  of  a  node  in  vpgraph  is  simply 
the  activity  of  literal  Lit(n).  We  describe  a  few  decision  heuristics  used  when 
pushing  children  of  m  (line  17)  below. 

1.  Push  the  children  in  the  order  they  occur  in  the  adjacency  list  of  m. 

2.  Push  the  children  of  m  in  a  random  order. 

3.  Push  the  children  of  m  in  the  ascending  order  of  activity.  The  higher  activity 
children  will  be  examined  before  other  children. 

4.  Divide  the  children  of  m  in  two  sets  3)  and  3 2.  Each  node  n  e  3)  has  Lit(n) 
already  set  to  true.  S3  contains  the  remaining  children  of  m.  Push  nodes 
in  S2  in  the  stack  followed  by  nodes  in  3j .  Intuitively,  the  nodes  in  3)  are 
satisfied  and  prune  will  not  return  a  conflict  for  a  node  in  5].  Thus, 
a  satisfying  assignment  or  a  conflict  will  be  reached  quickly  by  examining 
the  nodes  in  3)  before  the  nodes  in  Sj- 

5.  Form  the  sets  3)  and  33  as  above.  Push  the  nodes  in  S2  in  ascending  order 
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Bench 

-mark 

#Probs 

SatMate 

MiniSat 

BerkMin 

Siege 

zChaff 

Time 

Sol 

Time 

Sol 

Time 

Sol 

Time 

Sol 

Time 

Sol 

QG6 

256 

23266 

235 

49386 

179 

46625 

184 

46525 

184 

47321 

180 

QG6* 

256 

23266 

235 

37562 

211 

15975 

239 

30254 

225 

45557 

186 

Mboard 

19 

4316 

12 

4331 

12 

4947 

11 

4505 

12 

5029 

11 

Pigeon 

19 

5110 

11 

6114 

9 

5459 

10 

6174 

9 

5483 

11 

Table  3.1:  Comparison  between  SatMate,  MiniSat,  BerkMin,  Siege,  zChaff. 
’’Time”  gives  total  time  in  seconds  and  ”Sol”  gives  #problems  solved  within  time¬ 
out  of  600  seconds/problem. 


of  their  activity.  Then  push  nodes  in  Si  in  ascending  order  of  activity. 


In  our  experiments  heuristic  five  outperforms  the  other  decision  heuristics. 


3.8  Experimental  Results 

The  experiments  were  performed  on  a  1.5  GHZ  AMD  machine  with  3  GB  of 
memory  running  Linux.  The  techniques  described  in  the  chapter  have  been  im¬ 
plemented  in  a  SAT  solver  called  SatMate  [17].  The  non-clausal  input  formula 
is  given  in  EDIMACS  [6]  or  ISCAS  format.  SatMate  also  accepts  CNF  inputs  in 
DIMACS  format.  We  compare  SatMate  against  four  CNF  SAT  solvers  MiniSat 
version  1.14  [8],  BerkMin  version  561  [84],  Siege  version  4  [18],  and  zChaff 
version  2004.5.13  [1 17] 1 . 

QG6  benchmarks  The  authors  of  [116]  provided  us  with  a  benchmark  set 
called  QG6  which  consists  of  256  non-clausal  formulas  of  varying  difficulty. 
'These  experiments  were  carried  out  in  early  2006. 
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These  benchmarks  were  generated  during  the  construction  of  classification  the¬ 
orems  for  quasigroups  [116].  The  CNF  version  of  these  problems  was  also  made 
available  to  us  by  the  authors  of  [1 16].  The  CNF  version  was  obtained  by  directly 
expressing  the  problem  of  classifying  quasigroups  into  CNF  as  opposed  to  the 
translation  of  non-clausal  formulas  into  CNF.  The  non-clausal  versions  of  these 
benchmarks  have  300  variables  and  7500  gates  (AND,  OR  gates)  on  average, 
while  the  CNF  versions  have  1700  variables  and  7500  clauses  on  average.  We  ran 
SatMate  on  the  non-clausal  formulas  and  CNF  SAT  solvers  on  the  corresponding 
CNF  formulas  from  QG6  suite. 

QG6*  benchmarks  We  translated  the  non-clausal  formulas  from  the  QG6  suite 
into  CNF  by  introducing  new  variables  [124].  The  CNF  formulas  obtained  after 
translation  have  7500  variables  and  30000  clauses  on  average.  We  ran  CNF  SAT 
solvers  on  the  CNF  formulas  obtained  after  translation.  Note  that  we  still  ran 
SatMate  on  the  non-clausal  formulas. 

Mboard  benchmarks  encode  the  mutilated-checkerboard  problem. 

Pigeon  benchmarks  encode  the  pigeon  hole  principle  with  n  holes  and  n  +  I 
pigeons. 

Both  QG6  and  QG6*  benchmarks  contain  a  mixture  of  satisfiable  and  un- 
satisfiable  problems.  All  problems  in  the  Mboard  and  Pigeon  benchmarks  are 
unsatisfiable. 

The  experimental  results  are  summarized  in  Table  3.1.  The  column  ”#Probs” 
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gives  the  number  of  problems  in  each  benchmark  set.  There  was  a  timeout  of 
10  minutes  per  problem  per  solver.  For  each  solver  we  report  two  quantities:  1) 
’’Time”  is  the  total  time  spent  in  seconds  when  solving  problems  in  a  given  bench¬ 
mark,  including  the  time  spent  (=  timeout)  for  each  instance  not  solved  within 
timeout.  2)  ”Sol”  gives  the  total  number  of  problems  that  were  solved  within 
timeout. 

Summary  of  results  in  Table  3.1:  On  QG6  benchmarks  SatMate  solves  around 
50  more  problems  and  it  is  approximately  2  times  faster  than  the  CNF  SAT  solvers 
MiniSat,  BerkMin,  Siege,  and  zChaff.  On  QG6*  benchmarks  SatMate  performs 
better  than  MiniSat,  zChaff,  Siege.  However,  BerkMin  outperforms  SatMate  on 
QG6*  benchmarks.  The  difference  in  the  performance  of  CNF  SAT  solvers  on 
QG6  and  QG6*  benchmarks  shows  how  the  differences  in  the  encoding  of  a  given 
problem  to  CNF  can  significantly  impact  the  performance  of  CNF  SAT  solvers. 
The  performance  of  SatMate  on  Mboard  and  Pigeon  benchmarks  is  slightly  better 
than  the  CNF  SAT  solvers. 

Table  3.2  summarizes  the  performance  of  SatMate  and  four  CNF  SAT  solvers 
on  various  individual  problems.  Problems  dndO  2 ,  brnl3,  icl39,  icl45 
are  from  QG6  benchmark  suite.  Problems  q2 . 1 4 ,  cache  .  invl  2  are  generated 
by  UCLID  verification  tool  [22].  The  sub-column  ’’Time”  gives  the  time  required 
for  SAT  solving  (in  seconds).  For  SatMate  we  report  the  number  of  local  conflicts 
and  the  number  of  global  conflicts  (Section  3.4)  in  the  ’’Local  confs”  and  ’’Global 
confs”  sub-columns,  respectively.  A  timeout  of  1  hour  was  set  per  problem.  We 


55 


Problem 

SatMate 

MiniS  at 

Time 

BerkMin 

Time 

Siege 

Time 

zChaff 

Time 

Time 

Local  confs 

Global  confs 

dnd02 

174 

23500 

15588 

1308 

1085 

1238 

TO 

bml3 

181 

20699 

20062 

1441 

1673 

1508 

TO 

icl39 

200 

22683 

14069 

TO 

TO 

2629 

TO 

icl45 

TO 

4850 

72106 

TO 

2320 

1641 

TO 

q2.14 

237 

113 

15863 

23 

24 

34 

88 

cache.invl2 

58 

659 

7131 

1 

1 

1 

2 

Table  3.2:  Comparison  on  individual  benchmarks.  Timeout  is  1  hour  per  problem 
per  solver.  ’’Time”  sub-column  gives  time  taken  in  seconds. 


denote  timeout  by  ”TO”.  In  case  of  timeout  we  report  the  number  of  conflicts  just 
before  the  timeout  for  SatMate. 

Performance  of  SatMate  is  correlated  with  the  number  of  local  conflicts  and 
global  conflicts.  A  local  conflict  is  a  conflict  that  occurs  in  a  part  of  a  formula 
and  it  depends  on  the  structure  of  the  vpgraph.  There  is  no  equivalent  of  local 
conflict  in  CNF  SAT  solvers.  In  CNF  SAT  solvers  a  conflict  arises  when  the 
current  assignment  falsifies  an  original/learned  clause  which  is  equivalent  to  a 
global  conflict.  As  shown  in  Table  3.2  the  number  of  local  conflicts  is  usually 
comparable  to  the  number  of  global  conflicts  on  the  benchmarks  where  SatMate 
outperforms  CNF  SAT  solvers.  Indeed  the  performance  of  SatMate  degrades  if  no 
local  conflict  detection  and  local  learning  is  done. 

On  SAT  problems  arising  from  verification  applications  such  as  bounded  model 
checking  the  performance  of  SatMate  is  usually  worse  than  the  SAT  solvers  based 
on  DPLL.  Intuitively,  this  happens  because  there  is  a  lot  of  “irrelevant”  informa¬ 
tion  in  the  verification  benchmarks,  that  is,  only  a  small  fraction  of  the  variables 
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are  important  for  (un)satisfiability  of  the  given  formula.  The  decision  heuristics 
in  the  DPLL  SAT  solvers  are  able  to  quickly  identify  and  branch  on  the  impor¬ 
tant  variables.  The  General  Matings  solver  is  constrained  to  follow  the  vpgraph 
structure  and  does  not  have  much  flexibility  in  terms  of  the  variables  to  branch  on. 
This  drawback  can  be  addressed  by  dividing  the  vpgraph  into  a  number  of  smaller 
vpgraph  components  and  searching  for  satisfiable  rl-paths  in  each  component  in 
some  order.  Decision  heuristics  can  be  used  to  select  the  vpgraph  component  to 
examine  before  other  vpgraph  components. 

3.9  Chapter  Summary 

We  presented  a  new  non-clausal  SAT  solver  based  on  the  General  Matings  ap¬ 
proach.  This  approach  involves  the  search  for  a  vertical  path  which  does  not 
contain  opposite  literals  in  the  vertical-horizontal  path  form  (vhpform)  of  a  given 
negation  normal  form  formula.  The  main  challenge  in  obtaining  an  efficient  SAT 
solver  based  on  the  General  Matings  approach  is  to  prevent  the  enumeration  of 
vertical  paths.  We  presented  new  techniques  for  preventing  the  enumeration  of 
vertical  paths.  Experimental  results  show  that  on  certain  classes  of  non-clausal 
benchmarks  our  SAT  solver  has  a  performance  comparable  or  better  than  the  cur¬ 
rent  CNF  SAT  solvers.  Overall,  our  results  show  the  promise  of  the  General  Mat¬ 
ings  approach  in  building  SAT  solvers. 
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Chapter  4 


DPLL  based  SAT  Solver 


In  this  chapter  we  present  a  SAT  solver  that  checks  the  satisfiability  of  a  NNF 
formula  (])  by  applying  the  DPLL  algorithm  [70,  71]  to  the  hpgraph  of  cf).  Our 
solver  also  utilizes  the  vpgraph  of  <f)  in  certain  steps  of  SAT  solving.  If  the  input 
formula  is  not  in  NNF  it  can  be  converted  to  an  equi-satisfiable  NNF  formula  by 
using  the  techniques  discussed  in  chapter  2. 


4.1  Top  Level  DPLL  Algorithm 

The  high  level  organization  of  our  DPLL  based  SAT  solver  is  shown  in  Algo¬ 
rithm  4.1.  The  input  to  the  algorithm  is  the  hpgraph  and  vpgraph  of  a  formula  (f). 
The  output  is  SAT  if  (])  is  satisfiable  and  UNSAT  if  (])  is  unsatisfiable.  The  top  level 
algorithm  is  similar  to  other  state-of-the-art  DPLL  based  SAT  solvers. 

The  main  body  of  the  algorithm  consists  of  a  while  loop  which  executes  as 
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Algorithm  4.1  Top  Level  Routine  in  DPLL  Based  SAT  Solver 
Input:  Hpgraph  G/,(( ]))  and  vpgraph  Gv(( |)) 

Output:  Return  SAT  if  the  formula  is  satisfiable,  else  return  UNSAT 
1:  while  (true)  do 

2:  if  (decide_next  Joranch  ( ) )  then 

3:  while  (bcp()  ==  conflict)  do 

4:  blevel  =  analyze.conf  lict  ( ) 

5:  if  (bl  evel  ==  0)  then 

6:  return  UNSAT 

7:  else 

8:  backtrack  (blevel ) 

9:  end  if 

10:  end  while 

11:  else 

12:  return  SAT 

13:  end  if 

14:  end  while 


long  as  SAT  or  UNSAT  is  not  returned.  In  each  iteration  of  the  outer  while  loop 
we  first  call  decide_next_branch  ( )  in  order  to  identify  an  unassigned  vari¬ 
able.  If  an  unassigned  variable  is  found  it  is  assigned  a  truth  value.  After  assigning 
a  new  variable  Boolean  constraint  propagation  is  performed  by  calling  the  bcp  ( ) 
routine.  If  the  current  truth  assignment  falsifies  the  formula  the  bcp  ( )  routine 
returns  a  conflict.  In  case  of  a  conflict  the  analyze.conf  lict  ( )  routine 
is  called  in  order  to  perform  learning.  The  analyze_conf  lict  ( )  routine  also 
identifies  a  backtracking  level  blevel  where  the  solver  needs  to  backtrack  to  in 
order  to  avoid  a  similar  conflict.  If  the  backtracking  level  is  zero,  then  it  means  that 
the  formula  is  unsatisfiable  and  UNSAT  is  returned.  The  backtrack  (blevel ) 
call  performs  the  task  of  non-chronological  backtracking  by  erasing  all  the  assign¬ 
ments  between  the  current  decision  level  and  the  blevel.  After  backtracking  to 
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blevel  the  bcp  ()  routine  is  called  again.  This  is  because  at  least  one  new 
variable  gets  assigned  after  backtracking  and  this  can  lead  to  more  variable  as¬ 
signments  or  a  conflict. 

If  decide_next  Jbranch  ( )  returns  false,  it  means  that  all  variables  have 
been  assigned.  In  this  case  the  algorithm  returns  SAT. 

A  main  difference  between  the  existing  DPLL  SAT  solvers  and  our  solver  is 
in  the  bcp  ( )  routine.  In  our  solver  the  BCP  algorithm  uses  the  hpgraph  and  the 
vpgraph  of  a  given  formula.  The  focus  of  this  chapter  is  to  explain  the  bcp  ( ) 
routine  in  detail. 


4.2  Contributions 

Our  contributions  can  be  summarized  as  follows: 

•  The  most  crucial  component  of  our  DPLL  SAT  solver  is  an  efficient  Boolean 
Constraint  Propagation  (BCP)  algorithm  on  the  hpgraph.  Let  V  denote  the  set 
of  variables  in  cf).  Given  an  assignment  o  of  truth  values  to  a  set  of  variables 
W  C  V ,  the  BCP  algorithm  determines  if  o  falsifies  (]),  else  it  provides  the  set  of 
implied  assignments  (unit  literals).  We  describe  an  algorithm  for  performing 
BCP  on  hpgraph  that  generalizes  the  two-watched  literal  scheme  [117]  found 
in  CNF  SAT  solvers. 

In  particular,  a  “watch”  in  an  hpgraph  corresponds  to  a  node  cut  in  the  hp¬ 
graph.  By  maintaining  two  node  cuts  for  each  connected  component  in  the 
hpgraph  we  achieve  the  same  effect  as  the  two  watched-literal  scheme  found 
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Figure  4.1:  Let  §  be  (a  A  ->b)  V  (c  A  (d  V  “>/)).  (a)  The  hpgraph  of  (f>.  Two  node 
cuts  ChC2  are  shown,  (b)  The  vpgraph  of  (|>. 


in  the  CNF  SAT  solvers.  Fig.  4.1(a)  shows  two  node  cuts  Ci,C2  (possible 
watches)  for  a  hpgraph.  Two  node  cuts  allow  watching  two  nodes  (literals)  on 
each  path  (clause)  in  a  hpgraph  component.  The  two-watched  literal  scheme 
used  in  CNF  SAT  solvers  is  a  special  case  of  our  algorithm  (when  hpgraph 
represents  a  CNF  formula).  As  in  CNF  SAT  solvers  non-chronological  back¬ 
tracking  is  cheap  as  the  node  cuts  are  not  updated  when  backtracking. 

•  We  show  how  to  update  the  node  cuts  (watches)  in  the  hpgraph  efficiently 
by  using  the  vpgraph  of  the  given  formula.  We  show  that  a  minimal  cut  in  a 
hpgraph  corresponds  to  a  path  in  the  corresponding  vpgraph.  Thus,  finding  a 
small  node  cut  in  a  hpgraph  corresponds  to  finding  a  path  in  the  corresponding 
vpgraph.  For  example,  notice  that  paths  (1,3),  (2,5)  in  the  vpgraph  shown  in 
Fig  4.1(b)  correspond  to  cuts  Ci,C2,  respectively,  in  the  hpgraph  shown  in 
Fig  4.1(a). 

•  We  have  carefully  implemented  these  ideas  in  a  non-clausal  SAT  solver  called 
NFLSAT  (Non-clausal  FormuLas  SATisfiability  checker).  We  evaluate  the 
solver  on  a  collection  of  2541  non-clausal  industrial  benchmarks  obtained 
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from  publicly  available  sources.  Our  solver  outperforms  the  top  three  CNF 
SAT  solvers  of  SAT  2007  competition  (industrial  category)  in  terms  of  num¬ 
ber  of  problems  solved  and  runtime.  NFLSAT  is  also  competitive  with  the 
winners  of  SAT-Race  2008. 


4.3  Preliminaries 

Definition  7  Given  an  assignment  o  to  a  subset  of  variables  in  <f>,  we  say  that 
there  is  conflict  iff  o  falsifies  (|). 

Definition  8  Given  an  assignment  a  to  a  subset  of  variables  in  <f>,  we  say  that  a 
literal  l  is  an  implied  (unit)  iff  l  must  be  set  to  true  in  order  to  obtain  a  satisfying 
assignment. 

We  use  the  hpgraph  of  (|)  in  order  to  detect  conflicts.  We  say  an  assignment  fal¬ 
sifies  a  node  n  in  G((|))  iff  the  assignment  falsifies  Lit(n).  The  following  corollary 
adapts  the  Theorem  2  (Section  2.2)  to  the  hpgraph. 

Corollary  7  Given  an  assignment  o  to  variables  in  4>  the  following  are  equiva¬ 
lent: 

1.  a  falsifies  c|) 

2.  there  exists  a  rl-path  K  in  G/fty)  such  that  o  falsifies  every  node  on  K 

3.  there  is  a  conflict  due  to  o 

Example  9  Consider  the  hpgraph  for  a  formula  4>  in  Fig.  4.2.  The  assignment 
o  :=  {p,q}  falsifies  every  node  on  rl-path  (4,5).  Thus,  o  falsifies  (]). 


63 


1 


2 


Figure  4.2:  Hpgraph  for  a  formula. 


We  use  the  hpgraph  of  (|)  in  order  to  detect  implied  literals  due  to  o. 

Definition  9  Let  o  be  an  assignment  to  variables  in  (f>.  If  there  is  a  rl-path  %  in 
G/,(( |))  and  a  node  m  G  7C  such  that  <3  falsifies  every  node  n  <EK.n  fi  m  and  Lit  (in) 
is  not  assigned  in  o,  then  we  say  that  Lit(m)  an  h-implied  literal  and  m  is  an 

h-implied  node. 

The  following  corollary  states  that  an  h-implied  literal  is  also  an  implied  literal. 

Corollary  8  Given  an  assignment  o  to  variables  in  (]).  If  a  literal  l  is  an  h-implied 
literal  in  Gh  (<)>),  then  l  is  an  implied  literal. 

Proof.  We  show  that  oU  {— >/}  will  falsify  (|>.  Since  l  is  h-implied  there  is  a  rl- 
path  n  in  G/ffii)  and  a  node  m  e  n  such  that  o  falsifies  every  node  n  e  K.n  f  m  and 
Litfm)  —  l.  Observe  that  oU  {->/}  falsifies  every  node  on  n.  Thus,  by  Corollary  7 
oU{-i/}  falsifies  cf).  Therefore,  in  order  to  obtain  a  satisfying  assignment  l  must 
be  set  to  true  given  o  as  the  current  assignment.  □ 
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Example  10  Consider  the  hpgraph  shown  in  Fig.  4.2  and  an  assignment  o  = 
{-i p:->q,s}.  o  falsifies  all  but  node  6  on  the  rl-path  (1,2, 6, 7)  in  the  hpgraph. 
It  follows  from  Corollary  8  that  Lit (6)  =  r  is  an  implied  literal. 

The  use  of  Corollary  8  to  detect  implied  literals  is  not  complete,  that  is,  certain 
implied  literals  may  not  be  h-implied  literals.  Consider  o  =  {-i pj  and  the  rl-path 
7t  :=  (1,2,8)  in  Fig.  4.2.  n  corresponds  to  a  clause  Lit(  1)  VLit( 2)  V Lit( 8)  = 
p\J  q\J  q  —  p\/  q.  Since  p  is  false  under  a,  q  must  be  set  to  true  in  order  to 
satisfy  the  clause  p  V  q.  However,  according  to  definition  9,  q  is  not  an  h-implied 
literal  because  of  the  multiple  occurrences  of  q  in  nodes  2,8.  Thus,  q  will  not 
be  detected  as  an  implied  literal  in  our  SAT  algorithm.  In  practice,  the  number 
of  implied  literals  that  are  not  h-implied  are  quite  less  and  failure  to  detect  such 
implied  literals  does  not  lead  to  worse  performance.  We  experimented  with  a  more 
complicated  algorithm  that  detects  an  implied  literal  /  even  if  /  occurs  multiple 
times  on  a  rl-path.  However,  there  was  no  performance  improvement  as  compared 
to  an  algorithm  using  Corollary  8  to  detect  implied  literals. 

4.4  Boolean  Constraint  Propagation  on  the  Hpgraph 

Let  V  denote  the  set  of  variables  in  a  given  formula  (f>.  Given  an  assignment  o 
of  truth  values  to  a  set  of  variables  VF  C  V,  the  Boolean  constraint  propagation 
(BCP)  algorithm  detects  two  cases.  (1)  It  reports  if  o  falsifies  (|)  (conflict),  (b)  If 
there  is  no  conflict,  the  BCP  algorithm  provides  a  set  of  implied  (unit)  literals. 

Before  we  describe  the  BCP  algorithm  on  a  hpgraph,  we  briefly  review  the 
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BCP  algorithm  used  in  modern  CNF  SAT  solvers. 


4.4.1  Review  of  BCP  in  CNF  SAT  solvers 

Most  modem  CNF  SAT  solvers  use  the  two-watched  literal  scheme  [117]  in  order 
to  obtain  an  efficient  BCP  algorithm.  Suppose  we  are  given  a  CNF  formula  (]).  Let 
C  be  a  clause  in  (|>.  We  assume  C  has  at  least  two  distinct  literals  1 .  In  the  two- 
watched  literal  scheme  two  watches  are  associated  with  C.  A  watch  is  simply  a 
literal  l  occurring  in  C.  Before  the  search  (DPLL  algorithm)  starts  any  two  literals 
in  C  can  be  designated  as  its  watches. 

Let  /i,/2  be  the  watches  corresponding  to  C.  Four  cases  arise  depending  upon 
the  status  of  /i,/2  given  the  current  assignment  o. 

Case  A:  Both  l\,h  are  not  false.  In  this  case  there  cannot  be  any  conflict  or  an 
implied  literal  due  to  C.  The  clause  C  is  not  even  examined  during  BCP.  This  case 
occurs  most  often  in  practice  and  the  use  of  watches  enable  efficient  handling  of 
this  case. 

The  clause  C  is  examined  only  when  one  of  its  watches  becomes  false.  With¬ 
out  loss  of  generality  assume  that  h  becomes  false  in  the  remaining  three  cases. 
Case  B:  If  l\  is  already  true,  then  C  is  already  satisfied.  In  this  case  nothing  needs 
to  be  done  even  though  I2  is  false. 

Otherwise,  the  solver  tries  to  replace  the  falsified  watch  (L)  by  another  watch 
that  is  not  false.  If  there  is  a  literal  It,  in  C  that  is  not  false,  then  I2  is  replaced  by 

1  Clauses  of  length  one  are  treated  specially,  the  literal  in  such  a  clause  is  assigned  at  the  earliest 
decision  level  itself. 
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I3.  However,  such  a  literal  (h,)  may  not  exist  in  the  remaining  two  cases: 

Case  C  (conflict):  All  the  literals  in  C  are  false.  In  this  case  C  is  false  under  the 
current  assignment. 

Case  D  (implied  literal):  l\  is  unassigned  but  all  other  literals  in  C  are  false.  In 
this  case,  l\  is  reported  as  an  implied  literal. 

The  main  benefit  of  the  two-watched  literal  scheme  is  that  it  reduces  the  num¬ 
ber  of  times  the  solver  examines  the  clauses  in  a  given  CNF  formula.  This  is 
crucial  for  obtaining  efficient  solvers  that  can  handle  CNF  formulas  with  mil¬ 
lions  of  clauses.  Another  advantage  is  that  the  non-chronological  backtracking 
is  cheap.  This  is  because  the  watched  literals  do  not  need  to  be  updated  during 
backtracking. 

We  now  describe  how  the  two-watched  literal  scheme  found  in  CNF  SAT 
solvers  can  be  generalized  to  obtain  an  efficient  algorithm  for  BCP  on  a  hpgraph. 

It  will  be  seen  that  the  two-watched  literal  scheme  used  in  the  CNF  solvers  is  a 
particular  instance  of  our  algorithm. 

4.4.2  Generalizing  Two-watched  Literal  Scheme  to  Two-watched 
Cut  Scheme  for  Hpgraph 

Let  (f>  be  a  NNF  formula.  We  are  given  an  assignment  o  to  a  subset  of  variables 
occurring  in  (|>.  The  BCP  algorithm  uses  the  hpgraph  C /,(()))  of  4>. 

Definition  10  Given  G  —  (V,E ,R,L,Lit)  we  say  that  C  C  V  is  a  rl-cut  in  G  iff 
removal  of  all  nodes  in  C  from  G  disconnects  all  rl-paths  in  G. 
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Figure  4.3:  An  hpgraph.  Two  rl-cuts  C\  :=  {2,3,4},C2  :=  {5,7, 8}  are  shown. 

For  example,  {1,3, 4},  {2, 3, 4},  {5, 6, 8},  {5, 7, 8}  are  some  of  the  rl-cuts  in  the 
hpgraph  shown  in  Fig.  4.3.  The  node  set  {2,7,8}  is  not  an  rl-cut  as  it  does  not 
disconnect  the  rl-paths  (3, 5),  (4, 5). 

The  following  corollary  states  that  an  rl-cut  contains  at  least  one  node  from 
each  rl-path. 

Corollary  9  Let  C  be  a  rl-cut  in  G/,(( |)).  For  every  rl-path  k  in  C/,((|)j  there  exists 
a  node  n  such  that  n  E  K  and  n  G  C. 

Definition  11  Two  rl-cuts  Ci,C2  are  said  to  be  node-disjoint  ifC\  fl C2  =  0. 

For  example  the  rl-cuts  {2,3,4},  {5,7,8}  in  Fig.  4.3  are  node-disjoint. 

Watches  in  a  Hpgraph  Each  rl-path  in  a  hpgraph  corresponds  to  a  clause.  Let 
the  clause  corresponding  to  an  rl-path  n  be  C.  In  order  to  apply  the  two-watched 
literal  scheme  found  in  CNF  SAT  solvers  we  want  to  watch  two  nodes  zzi ,  z?2  on  7t. 
This  in  turn  amounts  to  watching  two  literals  LzY(zzi),LzY(z?2)  in  C.  However,  there 
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are  usually  exponentially  many  paths  (clauses)  in  a  hpgraph.  So  it  is  expensive  to 
maintain  watches  for  each  rl-path  (clause)  explicitly. 

This  intuition  leads  us  to  define  a  watch  in  a  hpgraph  as  a  rl-cut  in  the  hpgraph. 
By  taking  a  rl-cut  as  a  watch  we  make  sure  that  at  least  one  node  on  every  rl-path 
is  present  in  our  watch  (Corollary  9).  This  in  turn  corresponds  to  watching  a  literal 
on  each  clause  in  the  hpgraph. 

Example  11  The  rl-cut  C  :=  (2, 3, 4}  is  a  possible  watch  for  the  hpgraph  in  Fig.  4.3. 
Note  that  C  contains  at  least  one  node  from  each  rl-path  in  Fig.  4.3.  Watching 
node  3  on  rl-paths  (3,5),  (3,6,7),  (3,8),  amounts  to  watching  literal  Lit (3)  —  ~>r 
on  clauses  ->r  V  ~>p1  ->r  V  r\Z~>s,  ->r  V  q,  respectively. 

In  order  to  get  the  effect  of  the  two-watched  literal  scheme  we  watch  two  rl- 
cuts  in  the  hpgraph.  By  maintaining  two  rl-cuts  for  a  hpgraph  we  are  able  to  watch 
two  nodes  (literals)  on  each  rl-path  (clause)  in  the  hpgraph. 

Example  12  The  rl-cuts  C\  :=  {2,3,4}  andC2  :=  {5,7,8}  are  two  possible  watched 
cuts  for  the  hpgraph  in  Fig.  4.3.  For  the  rl-path  (1,2, 6, 7),  the  rl-cuts  C\ .  C2  allow 
us  to  watch  nodes  2,7. 

Definition  12  Given  G  =  (V,E,R,L,Lit),  a  partial  assignment  a,  and  a  rl-cut 
W  C  V.  We  say  that  W  is  acceptable  iff  there  is  no  node  m  e  W  such  that  Lit(m) 
is  false  in  o.  We  say  that  W  is  satisfied  iff  for  all  m  e  W  Lit(m)  is  true  in  o. 

For  example,  given  the  hpgraph  in  Fig.  4.3  ando  =  {<7}  the  rl-cuts  {5,6,8},  {5,7,8} 
are  acceptable.  The  rl-cuts  {2,3,4},  {1,3,4}  are  not  acceptable  given  o. 
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4.4.3  High  Level  Description  of  BCP  on  Hpgraph  Using  the 
Two-watched  Cuts 

For  a  given  hpgraph  G/;  ((]))  =  ( V,E,R ,  L,  Lit )  we  maintain  two  rl-cuts  C\ ,  C2  (watches). 
Before  the  DPLL  algorithm  starts  C|  .C2  can  be  initialized  to  any  two  rl-cuts  in 
G/,(( \>)  which  are  node-disjoint2.  As  the  search  progress  the  algorithm  tries  to 
maintain  the  invariant  that  at  least  one  of  Ci,C2  is  acceptable.  The  algorithm  also 
tries  to  maintain  Ci,C2  as  node-disjoint  as  possible.  This  is  useful  for  detecting 
implied  literals. 

We  intuitively  describe  the  various  cases  that  may  arise  during  the  BCP  on  a 
hpgraph  below.  In  the  next  section  we  formalize  these  cases.  Each  of  the  cases  be¬ 
low  generalize  the  cases  that  occur  in  the  two-watched  literal  scheme  for  CNF  SAT 
solvers. 

Case  A:  Both  rl-cuts  (watches)  Ci,C2  are  node-disjoint  and  acceptable.  Then 
there  can  be  no  conflict  or  h-implied  literals  due  to  the  current  assignment.  This  is 
because  each  clause  in  the  hpgraph  contains  two  literals  that  are  not  false.  In  this 
case  there  is  no  need  to  look  at  any  other  part  of  the  hpgraph. 

Example  13  In  Fig.  4.3  let  C\  :=  (2, 3, 4},  CT2  :=  (5,7, 8}  and  a  =  {->/>}.  Observe 
that  both  Ci,C2  are  acceptable  rl-cuts  and  are  node-disjoint.  It  can  be  seen  that 
there  is  no  conflict  or  h-implied  literals  in  the  hpgraph. 

Suppose  one  of  the  rl-cuts  say  C2  is  no  longer  acceptable.  Then  we  have  the 
following  cases. 

2This  can  always  be  ensured  as  explained  in  the  next  section. 
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Figure  4.4:  An  hpgraph.  Two  rl-cuts  C\  :=  {1,3,4},C2  :=  {5,7, 8}  are  shown. 

Case  B:  For  each  node  n  6  Ci,  Lit(n )  is  already  true,  that  is,  C\  is  satisfied.  In 
this  case  there  cannot  be  any  conflict  or  an  h-implied  literal  in  the  hpgraph.  Intu¬ 
itively,  every  clause  present  in  the  hpgraph  is  satisfied.  The  algorithm  leaves  C2 
unchanged  in  this  case. 

Example  14  In  Fig.  4.4  let  C\  :=  { 1 , 3,4}, C2  :=  {5,7,8}  and  o  =  {p,  — ir,  ~^q}. 
Observe  that  C2  is  not  acceptable  as  Lit(5),Lit(8)  are  false  under  o.  However,  C\ 
is  satisfied.  In  this  case  we  do  not  update  C2. 

If  the  previous  cases  do  not  apply  the  algorithm  tries  to  find  a  replacement 
rl-cut  for  C2.  When  searching  for  a  replacement  to  C2  the  algorithm  tries  to  find 
a  rl-cut  that  is  as  different  from  C\  as  possible.  Intuitively,  this  is  similar  to  why 
we  keep  the  two-watched  literals  in  a  clause  as  distinct  in  the  CNF  two-watched 
literal  scheme.  If  a  replacement  cut  C3  is  found  such  that  C3  is  acceptable  and 
C3  flCi  =  0,  then  C2  is  replaced  by  C3.  Otherwise,  we  have  the  following  two 
cases. 
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Figure  4.5:  An  hpgraph.  Three  rl-cuts  C\  :=  { 1 , 3,4}, C2  :=  {5,7,8},C3  := 
{2,3,4}  are  shown. 

Case  C  (conflict):  If  there  is  no  acceptable  rl-cut  in  the  hpgraph.  In  this  case  the 
current  assignment  o  falsifies  the  given  formula. 

Example  15  In  Fig.  4.4  let  C\  :=  {1,3,4}, C2  {5,7, 8}  and  o  =  {p,r}.  In  this 
case  both  C\ ,  C2  are  not  acceptable  and  there  is  no  possible  replacement  for  them. 
This  is  expected  as  the  clause  ( ->r\/-<p )  corresponding  to  the  rl-path  (3, 5)  is  false. 

Case  D  (implications):  If  there  an  acceptable  cut  C3  such  that  C3  is  acceptable 
but  C3  flCi  /  0.  In  this  case,  for  every  n  e  C|  DCs  the  corresponding  literal  Lit(n) 
is  an  h-implied  literal  (assuming  Lit(n)  is  not  already  true).  If  C3  /  C] ,  then  C2  is 
replaced  by  rl-cut  C3. 

Example  16  In  Fig.  4.5  let  C\  {1,3,4},C2  :=  {5,7,8}  and  o  =  {p}.  Observe 
that  C2  is  not  acceptable  as  07(5)  is  false  under  o.  Also  note  that  case  B  does  not 
hold  as  Ci  is  not  satisfied.  Thus,  we  seek  a  replacement  for  C2.  Note  that  any  new 
acceptable  cut  must  include  nodes  3,4  since  as  they  are  the  only  possible  nodes 
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that  can  be  watched  on  the  paths  (3, 5),  (4, 5),  respectively.  Thus,  a  possible  rl-cut 
C3  is  {2,3,4}.  Both  Ci, C3  contain  nodes  3,4.  It  can  be  seen  that  Lit (3), Lit (4)  are 
precisely  the  h-implied  literals.  Lit (3)  =  ->r  is  h-implied  due  to  the  rl-path  (3,5), 
which  corresponds  to  the  clause  -1  r  V  -1  p.  Similarly,  Lit  (A)  —  -1  q  is  h-implied  due 
to  the  rl-path  (4,5),  which  corresponds  to  the  clause  ~>q  V  ->/?.  Since  h-implied 
literals  are  also  implied  literals  it  follows  that  ->r,  -1  q  are  implied  literals  given  the 
current  assignment. 


4.5  Formalizing  the  Two-watched  Cut  Scheme  for 
BCP  on  Hpgraph 

We  define  the  length  of  a  rl-path  as  the  number  of  nodes  on  the  rl-path.  Let 
7t  =  (no)  be  a  rl-path  in  G/ff)}  of  length  one.  The  rl-path  n  corresponds  to  a 
unit  clause  Lit  (no).  Our  algorithm  removes  7t  from  G/,(( |))  and  sets  Lit(no)  to  true 
during  the  pre-processing  phase  itself.  This  is  done  for  all  rl-paths  that  have  length 
one.  In  the  following  we  assume  that  each  rl-path  in  G/,((|))  has  a  length  greater 
than  one.  This  ensures  that  there  are  always  two  node-disjoint  rl-cuts  in  the  given 
hpgraph. 

Recall  that  there  is  conflict  in  G/,(( \>)  due  to  an  assignment  o  iff  a  falsifies  cf)  iff 
there  is  a  rl-path  tl  in  G/,((|))  such  that  Lit(m )  is  false  for  every  m  €  7t. 

Definition  13  Given  a  hpgraph  G/,  ((f)  J  =  (V.E.R.  L.  Lit)  and  an  assignment  o.  We 
say  that  a  node  n  £  V  is  p-assigned  (possibly  assigned)  if  the  following  condi- 
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lions  hold: 


(a)  there  is  a  rl-path  71  in  G/,(( |))  and  n  lies  on  K,  and 

(b) for  every  node  m  f  n  and  m  G  71,  Lit(m)  is  false  under  G 

Ifn  is  a  p-assigned  node,  then  Litfn )  A  said  to  be  a  p-assigned  literal. 

Let  n  be  a  p-assigned  node.  Depending  upon  the  status  of  Lit  (n)  under  the 
current  assignment  o  we  have  three  cases: 

1 .  Litfn)  is  unassigned  under  o.  In  this  case  observe  that  Lit(n)  is  an  h-implied 
literal  and  n  is  an  h-implied  node.  Also  note  that  Litfn)  is  an  implied  literal. 

2.  Lit(n)  is  false.  In  this  case  there  exists  a  rl-path  7t  such  that  n  e  K  and  every 
node  on  71  is  falsified.  This  corresponds  to  a  case  when  we  have  a  conflict. 

3.  Litfn)  is  true.  In  this  case  there  exists  a  rl-path  7C  such  that  n  £  71  and  every 
node  m  6  7t,  m  =fn  is  falsified.  Since  Lit(n)  is  true  the  clause  corresponding 
to  n  is  satisfied. 

Corollary  10  Let  n  be  a  node  in  hpgraph.  If  n  is  h-implied,  then  n  is  also  li¬ 
as  signed.  Thus,  if  there  is  no  p-assigned  node  in  the  hpgraph,  then  there  cannot 
be  any  h-implied  node. 

Corollary  11  If  every  node  on  a  rl-path  K  in  G/,(( |))  is  falsified  by  an  assignment  o 
(conflict  case),  then  every  node  on  K  is  p-assigned.  Thus,  if  there  is  no  p-assigned 
node  in  the  hpgraph  given  an  assignment  o,  then  there  cannot  be  a  conflict  due  to 
a,  that  is,  G  does  not  falsify  (f>. 


74 


The  following  theorem  formalizes  the  case  C  in  Section  4.4.3.  It  states  that 
there  is  no  conflict  due  to  the  current  assignment  if  and  only  if  we  can  find  an 
acceptable  rl-cut  in  the  hpgraph. 

Theorem  4  Given  hpgraph  G/,((|)),  an  assignment  o.  The  following  are  equiva¬ 
lent: 

(a)  There  is  no  conflict  in  G/,((|)j  due  to  o. 

(b)  There  exists  a  rl-cut  C  in  G/,((|))  such  that  C  is  acceptable. 

Proof,  (a)  (b):  Define  C  to  be  the  collection  of  all  nodes  n  in  G/,(( |))  such  that 

Lit(n)  is  not  set  to  false  by  o.  By  definition  C  is  acceptable.  We  need  to  show  that 
C  is  a  rl-cut  in  G/,(( |)).  Consider  any  rl-path  7t  in  G/z  (())) .  As  there  is  no  conflict  in 
G/z  (4>)  due  to  o  at  least  one  node  m  on  7t  must  not  be  set  to  false.  By  definition  of 
C,  m  G  C.  So  removal  of  nodes  in  C  from  G/,((j)  disconnects  the  rl-path  71.  Since 
n  is  arbitrary,  removal  of  nodes  in  C  disconnects  all  rl-paths  in  the  G/,(( |)).  This 
shows  that  C  is  a  rl-cut. 

(b)  (a):  Consider  any  rl-path  n  in  G/,((|)).  We  will  show  that  at  least  one 

node  on  71  is  not  false.  Since  C  is  a  rl-cut  there  must  be  at  least  one  node  m  G  C 
whose  removal  disconnects  7t.  That  is,  m  G  7C.  As  C  is  acceptable  Lit  (in)  is  not 
false.  As  n  is  arbitrary  there  is  at  least  one  node  on  each  rl-path  whose  literal  is 
not  false.  Thus,  there  can  be  no  conflict.  □ 

The  following  theorem  formalizes  the  case  A  in  Section  4.4.3.  Intuitively, 
if  there  are  two  node-disjoint  acceptable  cuts  in  a  hpgraph,  then  there  cannot  be 
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any  p-assigned  node  in  the  hpgraph.  This  in  turn  means  that  there  cannot  be  any 
conflict  or  h-implied  literals  in  the  hpgraph  (Corollaries  10,  11). 

Theorem  5  Given  hpgraph  Gh  (<|>),  an  assignment  o.  The  following  are  equiva¬ 
lent: 

(a)  Let  ChC2  be  two  rl-cuts  in  G/,(( |))  that  are  acceptable  and  node-disjoint  (C\C\ 

C2  =  0). 

(b)  There  is  no  node  in  Gf,(<j)  that  is  p-assigned  due  to  G. 

Proof  (a)  =>  (b):  Consider  any  rl-path  71  in  G/,  (())).  We  will  show  that  at  least 
two  nodes  on  7t  are  not  set  to  false  by  o.  Since  C\  is  a  rl-cut  there  must  be  a  node 
n\  that  belongs  to  both  C\  and  7t.  Similarly,  there  must  be  another  node  m  that 
belongs  to  both  C2  and  7t.  Since  C\  and  C2  do  not  have  any  common  nodes  we 
know  that  n\  f  n2.  Also  since  both  rl-cuts  are  acceptable  Lit  (n  \ ),  L//(«2)  are  not 
false.  Thus,  each  rl-path  in  G/,(( |))  has  at  least  two  distinct  nodes  whose  literals  are 
not  set  to  false. 

We  now  show  (b)  by  contradiction.  Assume  there  is  a  node  n  that  is  p-assigned 
due  to  o.  Then  by  definition  there  exists  a  rl-path  7t  £  G/,(( |))  such  that  all  nodes  m 
on  7t,  m  f  n  have  Lit(m)  as  false.  But  this  contradicts  the  fact  that  each  rl-path  has 
at  least  two  distinct  nodes  whose  literals  are  not  set  to  false.  Thus,  there  cannot  be 
a  p-assigned  node  n. 

(b)  (a):  Observe  that  each  rl-path  7t  has  at  least  two  nodes  that  are  not 
set  to  false  by  o  (otherwise,  there  will  be  a  p-assigned  node  on  n).  Let  left(n) 
denote  the  leftmost  node  on  n  that  is  not  set  to  false  by  o  and  right  (n)  denote  the 
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Figure  4.6:  The  rl-path  7C3  is  formed  by  combining  rl-paths  re  1  and  7X2  at  node  m. 

rightmost  node  on  7t  that  is  not  set  to  false  by  o.  Observe  that  both  left  (it)  and 
right  (it)  exist  and  left  (it)  f  right  (it). 

We  now  define  two  set  of  nodes  C\  and  C2  as  follows: 

Q:=  U  {left(iz)} 

7ieG/,(<|>) 

C2  :=  IJ  {right (it)} 

Observe  that  both  C\  and  Ci  are  rl-cuts  and  acceptable.  We  still  need  to  show 
that  Ci  and  C2  are  node-disjoint.  We  use  proof  by  contradiction.  Assume  there  is 
a  node  m  such  that  m  G  Ci  and  m  G  C2.  Since  m  G  Ci  there  exists  an  rl-path  7x1 
such  that  left(lt\)  —  m.  Similarly,  using  the  definition  of  C2  it  follows  that  there 
exists  an  rl-path  t:2  such  that  right  (itf)  =  m. 

Now  consider  a  path  ^3  obtained  by  concatenation  of  all  nodes  on  7Xi  until  m, 
m,  all  the  nodes  on  ti2  from  m  onwards  (Figure  4.6).  Observe  that  713  is  an  rl-path. 
Also  observe  that  m  is  p-assigned  due  to  7X3.  This  contradicts  (b).  Thus,  it  follows 
that  Ci,C2  are  node-disjoint.  □ 
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The  following  corollary  formalizes  Case  B  in  Section  4.4.3.  It  states  that  if 
one  of  the  watched  rl-cuts,  say  C\,  is  satisfied,  then  there  cannot  be  any  conflict  or 
h-implied  literal  in  the  hpgraph.  Thus,  even  if  Ci_  is  no  longer  acceptable  there  is 
no  need  to  update  it. 

Corollary  12  Given  hpgraph  Gh ((f)),  an  assignment  o.  Let  C  be  a  rl-cut  in  G /,(())) 
that  is  satisfied.  Then  the  following  holds: 

(a)  There  is  no  conflict  in  G/;(( |))  due  to  o. 

(b)  Ifn  is  a  p-assigned  node,  then  n  e  C. 

(c)  There  is  no  h-implied  node  in  G/,(( |))  due  to  G. 

Proof,  (a)  Observe  that  C  is  an  acceptable  rl-cut.  Using  theorem  4  the  first  claim 
follows  easily. 

(b)  We  will  prove  this  claim  using  proof  by  contradiction.  Suppose  there  exist 
a  p-assigned  node  n  and  n  (ji  C.  By  definition,  there  exists  an  rl-path  n  such  that 
for  all  m  €  n  and  n  f  m.  Lit  (in)  is  false.  Since  C  is  a  rl-cut  there  exists  a  common 
node  n'  such  that  n'  e  n  and  n'  e  C.  We  assumed  that  n  C  so  n  n' .  Literal 
corresponding  to  every  node  on  n  (except  n)  is  false,  it  follows  that  Lil(n')  must 
be  false.  This  contradicts  the  fact  that  C  is  satisfied.  Thus,  n  e  C. 

(c)  We  use  proof  by  contradiction.  Suppose  n  is  an  h-implied  node.  By  def¬ 
inition  every  h-implied  node  is  also  a  p-assigned  node.  From  (b)  it  follows  that 
every  p-assigned  node  is  present  in  C.  As  C  is  satisfied  Litfm)  must  be  true  for  any 
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m  G  C.  Thus,  Lit(n)  is  true.  This  is  a  contradiction  as  Litfn )  must  be  un-assigned 
according  to  the  definition  of  an  h-implied  node.  □ 

We  partially  formalize  the  case  D  in  Section  4.4.3.  This  case  arises  when  there 
is  an  acceptable  cut  in  the  hpgraph  say  C i,  but  there  is  no  other  acceptable  cut  that 
is  node-disjoint  from  Cj.  The  corollary  below  states  that  every  p-assigned  node 
must  be  contained  in  Cj.  Thus,  any  h-implied  literal  will  also  be  present  in  C i. 

Corollary  13  Given  hpgraph  G/,((|)),  an  assignment  a.  LetC\  be  a  rl-cutin  G/,((|)) 
that  is  acceptable.  Suppose  there  is  no  other  rl-cut  in  G/,  ((f))  that  is  both  acceptable 
and  node-disjoint  from  C\.  The  following  results  can  be  derived  from  theorems 
4,5. 

(a)  There  is  no  conflict  in  G/7  ((f>)  due  to  o. 

(b)  There  is  at  least  one  p-assigned  node  in  G/z  ((f)). 

(c)  Each  p-assigned  node  n  belongs  to  C\  (n  G  C\). 

(d)  For  each  p-assigned  node  n,  either  Lit(n)  is  already  set  to  true  or  Lit(n)  is 
unassigned  under  o  .  If  Lit  (n )  is  unassigned  it  is  a  implied  literal. 

Proof,  (a)  Ci  is  an  acceptable  rl-cut  in  G/z  (<f)) .  From  theorem  4  it  follows  that 
there  is  no  conflict  in  G/z  ((f))  due  to  o. 

(b)  There  are  no  two  rl-cuts  in  G/,(( f>)  that  are  acceptable  and  node-disjoint. 
Thus  from  theorem  4  it  follows  that  there  is  at  least  one  p-assigned  node  in  G/z  (<f>) . 

(c)  Let  n  be  a  p-assigned  node.  By  definition  there  exists  an  rl-path  n  such  that 
for  every  node  on  m  G  TC,  m  f  n,  Lit(m)  is  false.  We  will  use  proof  by  contradiction. 


79 


Suppose  that  n  f.  C\.  Then  there  must  be  another  node  n!  f  n  such  that  n!  G  C\ 
and  n!  G  7C  (as  Ci  is  a  rl-cut).  We  know  that  literal  corresponding  to  every  node  on 
7t  that  is  different  from  n  is  false.  So  Lit{n!)  —  false.  But  this  contradicts  the  fact 
that  Ci  is  acceptable  (as  n'  G  Ci).  Thus,  n  G  C]. 

(d)  Let  n  be  a  p-assigned  node.  We  know  from  (c)  that  «  G  Ci.  Since  C  is 
acceptable  it  follows  that  Lit(n)  cannot  be  false.  □ 

4.6  Minimal  rl-cuts  in  Hpgraph 

In  the  previous  sections  we  generalized  the  CNF  two-watched  literal  scheme  to 
hpgraph  by  using  two  rl-cuts  in  the  hpgraph  G/,(( |)).  We  now  describe  how  rl- 
cuts  are  obtained  and  updated  efficiently  during  BCP.  The  key  idea  is  to  make 
use  of  the  vpgraph  Gv(( |)).  For  example,  consider  the  hpgraph  in  Figure  4.7  (a) 
and  the  corresponding  vpgraph  in  Figure  4.7  (b).  Observe  that  any  rl-path  in 
the  vpgraph  corresponds  to  arl-cut  in  the  hpgraph.  The  rl-paths  (1,3,4),  (2,3,4), 
(5,6,8),  (5,7,8)  in  the  vpgraph  corresponds  to  rl-cuts  {1,3,4},  {2,3,4},  {5,6,8}, 
{5,7,8},  respectively,  in  the  hpgraph. 

Definition  14  Given  G  =  (V.E.  R. L.  Lit)  we  say  that  C  C  V  is  a  minimal  rl-cut 
in  G  iff  C  is  a  rl-cut  in  G  and  no  proper  subset  of  C  is  a  rl-cut  in  G.  Let  nodesftl ) 
denote  the  set  of  nodes  occurring  on  a  rl-path  71. 

A  surprising  fact  is  that  the  rl-paths  in  the  vpgraph  correspond  to  minimal 
rl-cuts  in  the  hpgraph.  One  can  also  prove  that  every  minimal  rl-cut  in  the  hp- 
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Figure  4.7:  (a)  Hpgraph  for  formula  (((pV  q)  A  ->r  A  -w?)  V  (~>p  A  (r  V  -is)  A  q)). 
(b)  The  corresponding  vpgraph. 

graph  corresponds  to  a  rl-path  in  the  vpgraph.  This  duality  between  rl-cuts  in  the 
hpgraph  and  rl-paths  in  the  vpgraph  is  formalized  below. 

Theorem  6  Given  hpgraph  G/,(( |))  and  vpgraph  Gv(§)  for  a  formula  (|).  Let  K  be  a 
rl-path  in  Gv(( |>).  Then  nodesitl)  form  a  minimal  rl-cut  in  G/fft). 

Theorem  7  Given  hpgraph  Gj,(f>)  and  vpgraph  Gv((|))  for  a  formula  (|).  Let  C 
be  a  minimal  rl-cut  in  G/,(( |)).  Then  there  exists  a  rl-path  71  in  Gv  (<]))  such  that 
C  =  nodes(tz). 

We  give  the  proofs  for  theorems  6,7  in  the  appendix  C.  One  can  prove  similar 
duality  between  rl-paths  in  the  hpgraph  and  rl-cuts  in  the  vpgraph. 

Theorem  8  Given  vpgraph  Gv(4>)  and  hpgraph  G/ffy)  for  a  formula  (]).  Let  tl  be  a 
rl-path  in  G/,(( |)).  Then  nod es(n)  form  a  minimal  rl-cut  in  Gv(( |)). 
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Theorem  9  Given  vpgraph  Gv(<|))  and  hpgraph  G/;(( |))  for  a  formula  (|).  Let  C 
be  a  minimal  rl-cut  in  Gv(<|)).  Then  there  exists  a  rl-path  71  in  G/7  (4>)  such  that 
C  =  nodes(iz). 

4.6.1  Finding  and  Updating  Minimal  rl-cuts  in  Hpgraph 

Our  algorithm  always  maintains  two  minimal  rl-cuts  in  the  hpgraph  as  the  watched 
cuts.  These  cuts  are  obtained  and  updated  by  finding  rl-paths  in  the  corresponding 
vpgraph  by  using  a  depth-first  search  like  routine.  The  BCP  algorithm  relies  on 
the  ability  to  find  acceptable  rl-cuts  in  the  hpgraph.  This  is  done  by  searching  for 
acceptable  rl-paths  in  the  vpgraph3.  We  always  search  the  vpgraph  for  acceptable 
rl-paths.  We  omit  the  qualifier  “acceptable”  in  the  following. 

The  BCP  routine  also  requires  that  we  find  disjoint  rl-cuts  in  the  hpgraph  (if 
possible).  This  is  done  by  searching  for  disjoint  rl-paths  in  the  vpgraph.  More 
precisely,  suppose  we  are  trying  to  replace  rl-cut  C2  in  the  hpgraph.  Let  the  other 
rl-cut  in  the  hpgraph  be  C\  and  let  K\  denote  the  rl-path  corresponding  to  Cj  in  the 
vpgraph.  Then  we  search  for  a  rl-path  in  the  vpgraph  that  is  completely  disjoint 
from  7i\.  If  we  succeed  in  finding  a  path  Tlj  in  the  vpgraph  that  is  completely 
disjoint  from  TXi ,  then  we  obtain  a  replacement  C3  for  C2  in  the  hpgraph  such  that 
Ci  fl  C3  =  0.  If  there  is  no  rl-path  in  the  vpgraph  that  is  completely  disjoint  from 
7X1 ,  we  find  the  set  of  all  nodes  N  on  7Xi  that  must  be  shared  by  any  acceptable  rl- 
path  in  the  vpgraph.  Intuitively,  the  nodes  in  N  are  precisely  the  p-assigned  nodes 
and  give  us  the  exact  set  of  h-implied  literals. 

3  A  rl-path  n  is  acceptable  if  no  node  on  n  is  falsified  under  the  current  assignment. 
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Theorem  10  Given  vpgraph  Gv(<|))  and  hpgraph  G/,(<|>)  for  a  formula  (]).  Let  K\ 
be  an  acceptable  rl-path  in  Gv  (<])).  Suppose  there  is  no  other  acceptable  rl-path  in 
Gv  (4>)  that  is  completely  node  disjoint  from  7Ci-  Let  N  denote  the  set  of  nodes  that 
must  be  shared  in  any  acceptable  rl-path  in  Gv(<|>).  We  have  the  following  results: 

(a)  Every  p-assigned  node  in  G/,(( |))  belongs  to  N. 

(b) N^<d. 

(c)  Every  node  in  N  is  p-assigned  in  G/,(( |)). 

Proof,  (a)  Every  acceptable  rl-path  Jt,  in  Gv(4>)  corresponds  to  a  minimal  rl-cut 
Cj  in  G/z(4>).  Since  we  do  not  have  acceptable  and  node-disjoint  rl-paths  in  Gv(4>), 
we  cannot  have  acceptable  and  node-disjoint  rl-cuts  in  G/, (()>).  From  corollary  13 
it  follows  that  each  p-assigned  node  belongs  to  each  C;.  Thus,  each  p-assigned 
node  belongs  to  fi/C;  =  n*7t*  =  N. 

(b)  From  (a)  we  know  that  every  p-assigned  node  belongs  to  N.  From  corollary 
13  there  exists  at  least  one  p-assigned  node  in  G/, (<[>).  Thus,  N 

(c)  Consider  a  node  n  eN.  We  want  to  show  that  n  is  p-assigned  in  G/,  ((f)) .  Fet 
M  denote  the  set  of  all  nodes  in  Gv(<]))  which  are  false  under  the  current  assign¬ 
ment.  Fet  M'  —  M  U  {n}.  We  claim  that  M'  is  a  rl-cut  in  Gv(4>) .  In  order  to  show 
this  we  will  show  that  every  rl-path  in  Gv(4>)  gets  disconnected  if  the  nodes  in  M' 
are  removed  from  Gv(( |)).  There  are  two  possibilities  for  a  rl-path  n  in  Gv(4>).  1)  n 
is  an  acceptable  rl-path  in  Gv(4>).  By  definition  of  N  we  have  n  G  n.  So  removal 
of  n  G  M'  will  disconnect  tl.  2)  7C  is  not  an  acceptable  rl-path  in  Gv(( J>).  Then  there 
must  exist  a  node  m  G  n  such  that  Lit(m)  is  false.  By  definition  of  M  we  have 
m  G  M  so  m  G  M' .  Thus,  M'  is  a  rl-cut  in  Gv(<|)). 
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Observe  that  M'  is  not  necessarily  a  minimal  rl-cut.  Let  M"  C  M  represent 
a  minimal  rl-cut  obtained  by  removing  nodes  from  M'  (M"  is  not  necessarily 
unique).  We  claim  that  n  G  M" .  This  is  because  n  is  the  only  node  in  M'  that 
disconnects  all  acceptable  rl-paths  in  Gv(<|)).  Thus,  n  must  be  present  in  any  mini¬ 
mal  rl-cut  obtained  from  M' . 

Now  we  use  the  duality  between  the  minimal  rl-cuts  in  Gv(( |))  and  rl-paths  in 
G/,(( \>).  The  minimal  rl-cut  M"  in  Gv(4>)  corresponds  to  an  rl-path  7t/,  in  G/,((j))  such 
that  M"  =  nodesfah).  By  definition  of  M"  it  follows  that  for  every  m  G  7C /,,  m  /  n, 
Lit(m)  is  false.  Thus,  node  n  is  p-assigned  due  to  7C/,.  □ 


4.6.2  Implementation  of  the  Cut  Replacement  Algorithm 

Our  solver  always  maintains  minimal  rl-cuts  in  the  hpgraph  and  we  omit  the  qual¬ 
ifier  “minimal”  in  the  following.  Suppose  we  are  trying  to  replace  rl-cut  C2  in  the 
hpgraph.  Let  the  other  rl-cut  in  the  hpgraph  be  C\  and  let  7l\  denote  the  rl-path 
corresponding  to  C\  in  the  vpgraph. 

The  first  step  is  to  search  for  an  acceptable  rl-path  in  the  vpgraph  that  is  com¬ 
pletely  disjoint  from  Jt  i .  This  is  done  by  performing  depth  first  search  (DFS)  in 
the  vpgraph  and  ignoring  any  nodes  that  are  falsified  or  lie  on  7t].  If  the  DFS 
routine  encounters  a  leaf  node,  then  we  can  immediately  produce  an  acceptable 
rl-path  Tli  in  the  vpgraph  that  is  completely  disjoint  from  7X  ] .  This  can  be  done  by 
following  the  parent  nodes  starting  from  the  leaf  node. 

If  the  DFS  algorithm  fails  to  reach  a  leaf  node,  then  it  means  that  there  is 
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no  acceptable  rl-path  in  the  vpgraph  that  is  completely  disjoint  from  Tti.  In  this 
case  we  try  to  find  an  acceptable  rl-path  in  the  vpgraph  that  is  as  disjoint  from 
Tti  as  possible.  In  other  words,  we  try  to  find  an  acceptable  rl-path  7X2  such  that 
the  intersection  of  Tti  and  7X2  is  exactly  the  set  of  p-assigned  nodes  (the  set  N 
in  theorem  10).  This  is  the  second  step  of  the  cut  replacement  algorithm.  Our 
implementation  of  the  second  step  is  described  below. 

•  We  identify  a  subgraph  G' (<|))  of  vpgraph  Gv(<|>)  such  that  each  rl-path  in 

G' (<|>)  is  acceptable.  This  can  be  done  by  performing  DFS  on  Gv(<|))  and 
removing  nodes  with  false  literals  and  removing  non-leaf  nodes  with  no 
children.  In  the  actual  implementation  we  do  not  modify  Gv(4>),  instead  we 
keep  a  flag  with  each  node  indicating  whether  the  node  is  in  G',  ((])).  If 

Gv(<|))  is  empty  then  it  means  that  there  is  no  acceptable  rl-path  in  Gv(( |)).  In 
this  case  we  report  a  conflict.  If  G(,((|))  is  not  empty,  then  we  perform  the 
following  steps. 

•  We  identify  a  subset  of  nodes  in  G(,((|))  whose  removal  disconnects  all  rl- 
paths  in  G(,((|)).  These  nodes  are  exactly  the  intersection  of  all  rl-paths  in 
G(,((|))  or  the  set  N  in  theorem  10.  This  is  done  by  a  modification  of  breadth 
first  search  on  G(,((|)).  We  maintain  a  frontier  of  nodes  in  G|,((j).  Initially, 
the  frontier  contains  the  roots  in  G(, (())) .  In  each  iteration  we  remove  a  node 
from  the  frontier  that  occurs  earliest  in  the  topologically  sorted  order  of 
nodes  in  G(,((|))  and  insert  its  children  in  the  frontier.  If  at  any  iteration  the 
frontier  contains  a  single  node  n,  it  means  that  all  rl-paths  in  G(,((|))  must 
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go  through  n.  Thus,  n  is  a  p-asssigned  node  and  it  is  added  to  the  set  of 
p-assigned  nodes.  The  set  of  p-assigned  nodes  at  the  end  of  the  algorithm  is 
the  set  N  in  theorem  10. 

•  We  find  an  acceptable  rl-path  in  the  vpgraph  that  is  as  disjoint  from  K\  as 
possible.  This  is  done  by  perfoming  DFS  on  G(,(( f>)  and  ignoring  any  node 
that  occurs  on  Tti  but  not  in  N  (we  need  to  take  nodes  from  N ).  The  result  is 
a  rl-path  %2  in  Gv(<|))  such  that  Tti  flTto  =  N. 

4.7  Two-watched  rl-cuts  for  each  Hpgraph  Compo¬ 
nent 

In  the  previous  sections  we  described  how  the  two-watched  rl-cuts  in  the  hpgraph 
can  be  used  to  carry  out  Boolean  constraint  propagation.  BCP  based  on  only  two- 
watched  rl-cuts  can  be  very  inefficient  when  the  hpgraph  has  millions  of  nodes. 
This  is  because  even  the  minimal  rl-cuts  for  the  entire  hpgraph  can  be  large  and 
will  be  updated  frequently  during  BCP  (see  Figure  4.8(a)). 

If  the  input  NNF  formula  <f»  is  a  conjunction  of  a  number  of  smaller  sub¬ 
formulas  <f>i, . . .  ,<])*;,  then  G/,(( f>)  is  a  disjoint  union  of  G/I((|)i), . . .  ,G/,(<|)fc).  We 
refer  to  G/, ((]),)  as  an  hpgraph  component.  In  practice,  there  are  usually  many 
hpgraph  components  and  each  hpgraph  component  is  small  as  compared  to  the 
entire  hpgraph  in  terms  of  number  of  nodes  4.  In  our  implementation  we  maintain 

4We  can  also  control  the  number  and  the  size  of  hpgraph  components  by  introducing  new 
variables  in  <|). 
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Gh{tyk) 
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Figure  4.8:  (a)  Two  monolithic  rl-cuts  for  the  entire  hpgraph.  (b)  Two  rl-cuts  for 
each  hpgraph  component. 


two-watched  rl-cuts  for  each  hpgraph  component  (see  Figure  4.8(b).  This  allows 
more  locality  during  BCP  as  the  rl-cuts  for  an  hpgraph  component  can  be  updated 
locally  by  looking  only  at  the  nodes  in  the  hpgraph  component.  Note  that  the  BCP 
algorithm  and  the  results  discussed  earlier  for  the  hpgraph  apply  to  each  individual 
hpgraph  component  and  the  corresponding  vpgraph  component. 
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4.8  Relationship  with  the  CNF  Two- watched  Literal 
Scheme 

The  hpgraph  for  a  CNF  formula  is  a  disjoint  union  of  various  line  graphs  (hpgraph 
components)  where  each  line  graph  represents  a  clause.  A  minimal  rl-cut  in  a  line 
graph  is  simply  a  cut  of  size  one.  Thus,  the  two-watched  rl-cuts  for  each  hpgraph 
component  reduces  to  two-watched  literal  scheme  when  the  input  is  a  CNF  for¬ 
mula  (see  Figure  4.9).  We  can  show  that  various  steps  in  our  BCP  algorithm  for 
updating  watched  rl-cuts  reduce  to  updating  the  watched  literals  when  the  hpgraph 
represents  a  CNF  formula.  Thus,  we  consider  the  two-watched  rl-cuts  scheme  for 
hpgraph  as  a  generalization  of  the  CNF  two-watched  literal  scheme. 
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Figure  4.9:  (a)  General  form  of  a  hpgraph  with  two-watched  rl-cuts  for  each 

hpgraph  component,  (b)  The  hpgraph  for  a  CNF  formula.  The  two-watched  cut 
scheme  reduces  to  two-watched  literal  scheme. 
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4.9  Other  Aspects  of  our  SAT  Solver 


The  other  important  components  of  our  DPLL  based  SAT  solver  such  as  decision 
heuristics,  conflict  driven  learning,  non-chronological  backtracking,  and  restarts 
are  implemented  in  a  similar  manner  as  other  state-of-the-art  DPLL  based  SAT 
solvers. 

Various  optimizations  are  used  for  improving  the  performance  of  our  solver. 
These  optimizations  are  described  below. 

•  The  conflict  driven  learning  generates  new  clauses,  which  are  added  to  a 
CNF  clause  database.  The  BCP  routine  takes  into  account  both  the  hpgraph 
and  the  clause  database  in  order  to  detect  conflicts  and  implied  literals. 

•  When  converting  a  Boolean  circuit  to  NNF  we  introduce  new  variables  for 
gates  with  fanout  greater  than  one.  This  usually  produces  a  large  number  of 
small  hpgraph  components  (less  than  hundred  nodes)  and  a  few  very  large 
hpgraph  components.  We  try  to  avoid  large  hpgraph  components  by  adding 
extra  new  variables  when  converting  a  Boolean  circuit  to  a  NNF  formula. 
The  intuition  is  that  we  can  introduce  a  new  variable  to  cut  a  particular 
(large)  sub-tree  from  a  Boolean  circuit. 

•  The  hpgraph  components  containing  a  few  clauses  are  removed  and  the 
clauses  contained  in  such  components  are  added  to  the  clause  database  be¬ 
fore  the  main  DPLL  algorithm  begins. 

•  Let  n  be  an  h-implied  node  ( Lit(n )  is  an  implied  literal).  We  do  not  explicitly 
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store  the  clause  due  to  which  Lit(n)  is  implied.  Instead  we  simply  record 
that  Lit(n)  was  implied  at  node  n  in  the  hpgraph.  The  actual  reason  due  to 
which  Lit(n)  is  implied  is  useful  only  during  conflict  analysis.  This  reason 
is  computed  on  demand  during  the  conflict  analysis. 

4.10  Experimental  Results 

The  experiments  are  performed  on  a  1.86  GHz  Intel  Xeon  (R)  machine  with  4  GB 
of  memory  running  Linux.  The  techniques  described  in  the  chapter  have  been  im¬ 
plemented  in  a  SAT  solver  called  NFLSAT  (Non-clausal  FormuLas  SATisfiability 
checker).  The  input  formula  is  given  in  AIG  (And  Inverter  Graph)  [1],  or  ISCAS 
format. 

4.10.1  Benchmarks 

We  evaluate  the  solver  on  a  collection  of  2541  Boolean  circuits  obtained  from 
publicly  available  sources.  We  describe  the  sources  of  these  benchmarks  below. 

•  K- induction  benchmarks  (AIG  format):  We  generated  857  k- induction  [130] 
problems  from  sequential  circuits  used  in  the  2007  hardware  model  check¬ 
ing  competition  [7].  We  used  the  publicly  available  utilities  aigtosmv 
[1]  and  smv2qbf  [19]  in  order  to  generate  the  k- induction  benchmarks, 
s  m  v  2  qb  f  was  run  with  the  options  -  i  -  a  i  g . 

•  Bounded  model  checking  (BMC)  benchmarks  (AIG  format):  We  generated 
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839  bounded  model  checking  problems  using  the  sequential  circuits  from 
[7].  We  used  the  publicly  available  utility  aigbmc  [1]  in  order  to  generate 
BMC  problems. 

•  SAT  competition  2007  benchmarks  (AIG  format):  We  use  all  341  bench¬ 
marks  that  were  used  in  the  AIG  track  in  SAT  competition  2007  [15].  Around 
220  of  these  benchmarks  were  generated  by  extracting  the  circuit  structure 
from  CNF  instances  using  cnf  2aig.  The  CNF  instances  themselves  were 
obtained  from  multiple  domains  such  as  software  and  hardware  verification, 
cryptography,  and  planning.  The  remaining  benchmarks  consist  of  105  k- 
induction  benchmarks  and  16  benchmarks  generated  using  c32sat  [47]. 

•  UCLID  benchmarks  (ISCAS  format):  We  used  56  benchmarks  generated 
by  the  UCLID  tool  [22].  These  were  provided  to  us  by  Sanjit  Seshia. 

•  Equivalence  checking  benchmarks  (ISCAS  format):  We  use  71  benchmarks 
from  equivalence  checking  domain. 

•  Microprocessor  verification  benchmarks  (ISCAS  format):  We  use  222  bench¬ 
marks  (fvp-unsat.2.0-iscas,  sss-sat-l.O-iscas,  vliw-sat-l.l-iscas)  made  avail¬ 
able  by  M.N.  Velev  [10]. 

•  Other  benchmarks:  Around  48  benchmarks  were  obtained  by  extracting 
circuit  structure  from  CNF  instances  using  cnf  2aig.  Another  105  bench¬ 
marks  are  k-induction  benchmarks  generated  using  different  levels  of  AIG 
optimizations  [127,  1], 
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Solver 

Solved 

Failed 

Solved  Time 

Total  Time 

NFLSAT 

2364 

177 

29753 

135953 

RSAT 

2310 

231 

45794 

184394 

PicoSAT 

2281 

260 

43297 

199297 

MiniSAT 

2270 

271 

39489 

202089 

Table  4.1:  Comparison  between  SAT  solvers. 


4.10.2  Comparison  with  SAT  2007  Competition  Winners 

We  compare  NFLSAT  against  three  state-of-the-art  CNF  solvers  RSAT  [14],  Pi- 
coSAT  [13],  and  MiniSat  [8].  In  SAT  2007  competition  the  solvers  RSAT,  Pi¬ 
coSAT,  and  MiniSAT  were  ranked  first,  second,  third,  respectively  in  the  industrial 
category.  We  use  the  SAT  2007  competition  version  of  RSAT  and  PicoSAT.  We 
use  an  updated  version  of  MiniSAT  (minisat2-070721)  available  from  [8].  (This 
version  of  MiniSAT  is  approximately  20%  faster  than  the  SAT  2007  competition 
version  of  MiniSAT  on  our  benchmarks.) 

The  (equi-satisfiable)  CNF  versions  of  the  above  circuits  were  obtained  by 
means  of  basic  Tseitin  transformation  [138,  124].  We  use  aigtocnf  to  convert 
the  benchmarks  in  AIG  format  to  CNF.  The  benchmarks  in  ISCAS  format  were 
converted  to  CNF  by  introducing  a  new  variable  for  each  gate  in  the  circuit.  We 
do  not  include  the  time  required  to  convert  a  Boolean  circuit  to  CNF  in  the  run 
times  reported  below. 

The  experimental  results  are  summarized  in  Table  4.1.  There  was  a  timeout  of 
10  minutes  per  problem  per  solver.  For  each  solver  we  report  the  following  quan¬ 
tities:  1)  The  total  number  of  problems  out  of  2541  problems  that  were  solved 
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within  timeout  in  the  ’’Solved”  column.  2)  The  total  number  of  problems  that 
the  solver  could  not  solve  due  to  a  timeout  or  a  memory  out  in  the  ’’Failed”  col¬ 
umn.  3)  The  total  time  spent  in  seconds  on  the  problems  that  were  solved  in  the 
’’Solved  Time”  column.  4)  The  sum  of  ’’Solved  Time”  and  the  time  spent  on  failed 
problems  in  the  ’’Total  Time”  column. 

NFLSAT  solves  more  problems  than  each  of  the  CNF  SAT  solvers  and  it  is 
also  faster  in  terms  of  run  time.  Intuitively,  the  better  performance  of  NFLSAT  is 
because  of  the  following:  1)  The  NNF  form  of  Boolean  circuits  has  fewer  vari¬ 
ables  than  (pre-processed)  CNF  in  the  majority  of  the  cases  (see  Chapter  2).  Fewer 
variables  in  turn  reduce  the  overhead  during  the  BCP  and  can  make  the  decision 
heuristics  more  effective.  2)  The  two  watched-cut  scheme  carries  more  overhead 
than  the  two- watched  literal  scheme.  However,  the  two- watched  cut  scheme  can 
potentially  update  the  watches  for  a  large  number  of  clauses  without  having  to 
look  at  each  clause  individually.  3)  Optimizations  for  efficient  BCP  on  the  clause 
database  [4,  9] . 

Due  to  implementation  differences  between  various  solvers  it  is  extremely 
hard  to  pin  point  the  reason  for  the  better  performance  of  NFLSAT.  Even  minor 
implementation  differences  can  make  the  solvers  explore  different  search  spaces 
leading  to  significant  differences  in  run  time.  Figures  4.10,  4.1 1,  4.12  give  scatter 
plots  comparing  NFLSAT  with  RSAT,  PicoSAT,  MiniSAT,  respectively.  For  each 
CNF  solver  we  compare  it  with  NFLSAT  on  all  instances,  satisfiable  instances, 
and  unsatisfiable  instances. 

The  main  conclusion  is  that  NFLSAT  is  competitive  to  existing  state-of-the-art 
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Solver 

Solved 

Failed 

Solved  Time 

Total  Time 

NFLSAT 

2060 

132 

26585 

105785 

MiniS  AT++ 

2074 

118 

32457 

103257 

PicoaigerSAT 

2033 

159 

35892 

131292 

Table  4.2:  Comparison  of  NFLSAT  with  SAT-Race  2008  AIG  track  winners. 


CNF  SAT  solvers.  The  two-watched  cut  scheme  and  the  use  of  vpgraph  enables 
efficient  BCP  on  hpgraph.  While  we  have  have  carefully  implemented  and  opti¬ 
mized  NFLSAT,  the  implementation  is  still  not  as  mature  as  CNF  solvers  which 
have  been  optimized  over  the  past  seven  years.  There  is  still  scope  for  implemen¬ 
tation  and  heuristics  improvement  in  our  solver. 


4.10.3  Comparison  with  SAT-Race  2008  AIG  Track  Winners 

We  compare  NFLSAT  with  MiniS AT++  1.0  which  was  ranked  first  in  the  AIG 
track  of  SAT-Race  2008.  MiniSat++  simplifies  the  AIG  circuit  using  DAG-aware 
rewriting  and  then  converts  the  simplified  circuit  to  CNF  by  using  an  improved 
Tseitin  translation  [9,  76].  The  resulting  CNF  is  then  passed  to  MiniSAT  2.1, 
which  was  ranked  first  in  the  CNF  track  in  SAT-Race  2008.  We  also  compare 
NFLSAT  with  PicoaigerSAT  which  was  ranked  second  in  the  AIG  track  of  SAT- 
Race  2008.  We  evaluate  the  three  solvers  on  a  collection  of  2192  AIG  bench¬ 
marks5. 

The  experimental  results  are  summarized  in  Table  4.2.  There  was  a  timeout  of 

5Unlike  SAT  competitions  the  participants  of  SAT-Race  are  not  required  to  make  their  solvers 
(source  code  or  binary)  publicly  available.  We  obtained  MiniSAT++  binary  and  PicoaigerSAT 
source  code  from  their  authors. 
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10  minutes  per  problem  per  solver.  For  each  solver  we  report  the  following  quan¬ 
tities:  1)  The  total  number  of  problems  out  of  2192  problems  that  were  solved 
within  timeout  in  the  ’’Solved”  column.  2)  The  total  number  of  problems  that  the 
solver  could  not  solve  due  to  a  timeout  or  a  memory  out  in  the  ’’Failed”  column. 
3)  The  total  time  spent  in  seconds  on  the  problems  that  were  solved  in  the  ’’Solved 
Time”  column.  4)  The  sum  of  ’’Solved  Time”  and  the  time  spent  on  failed  prob¬ 
lems  in  the  ’’Total  Time”  column.  Figures  4.13,  4.14  give  scatter  plots  comparing 
NFLSAT  with  MiniSAT++,  PicoaigerSAT  respectively. 

NFLSAT  solves  more  problems  than  PicoaigerSAT  and  is  also  faster  in  terms 
of  run  time.  MiniS AT++  solves  14  more  problems  than  NFLSAT.  However,  on 
majority  of  the  benchmarks  NFLSAT  is  faster  than  MiniSAT++  as  shown  by  the 
scatter  plot  in  Figure  4.13. 

Detailed  comparison  with  MiniS AT++ 

We  divide  our  collection  of  AIG  benchmarks  in  three  sets:  1)  K-IND  set  consists 
of  K-induction  benchmarks.  2)  BMC  set  consists  of  BMC  benchmarks.  3)  SAT- 
2007  benchmarks  consists  of  AIG  benchmarks  used  in  AIG  track  of  SAT  2007 
competition.  Around  220  SAT- 2007  benchmarks  were  obtained  by  extracting  cir¬ 
cuit  structure  from  CNF  using  cnf2aig. 

The  experimental  results  are  shown  in  Table  4.3.  The  column  ”#Probs”  gives 
the  number  of  problems  in  each  benchmark  set.  There  was  a  timeout  of  10  minutes 
per  problem  per  solver.  For  each  solver  we  report  the  following  quantities:  1) 
’’Solved”  gives  the  total  number  of  problems  that  were  solved  within  timeout.  2) 
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Benchmarks 

#Probs 

NFLSAT 

MiniSat++  1.0 

Solved 

Solved  time 

Total  time 

Solved 

Solved  Time 

Total  time 

K-IND 

857 

842 

3719 

12719 

840 

12496 

22696 

BMC 

838 

822 

4786 

14386 

823 

5623 

14623 

SAT-2007 

343 

245 

14555 

67955 

259 

12204 

57204 

Table  4.3:  Comparison  between  NFLSAT  and  MiniSAT++  1.0. 


’’Solved  time”  gives  the  total  time  spent  on  solved  problems.  3)  ’’Total  time”  is  the 
sum  of  ’’Solved  time”  and  the  time  spent  on  problems  where  a  timeout  occurred. 

On  K-IND  benchmarks  NFLSAT  solves  two  more  problems  and  is  3.36  times 
faster  than  MiniSAT++  in  terms  of  time  spent  on  solved  problems.  On  BMC 
benchmarks  MiniSAT++  solves  one  more  problem  than  NFLSAT.  The  runtimes 
are  similar.  On  SAT-2007  benchmarks  MiniS AT++  solves  14  more  problems  than 
NFLSAT.  The  poor  performance  of  NFLSAT  on  SAT- 2007  benchmarks  is  on  the 
circuits  that  were  obtained  from  CNF  formulas.  The  extraction  of  circuit  structure 
from  CNF  is  not  perfect  and  many  of  the  extracted  circuits  are  simply  a  conjunc¬ 
tion  of  clauses.  Figures  4.15,  4.16,  4.17  give  scatter  plots  comparing  NFLSAT 
with  MiniSAT++  on  K-IND,  BMC,  SAT-2007  benchmark  sets,  respectively. 

Note  that  NFLSAT  currently  does  not  employ  the  idea  of  DAG-aware  min¬ 
imization  that  MiniSAT++  employs.  Adding  this  idea  to  NFLSAT  is  likely  to 
improve  the  performance  of  NFLSAT. 
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4.10.4  Breakdown  of  the  Total  Time 


The  frontend  for  NFLSAT  performs  the  following  tasks:  1)  Read  the  input  for¬ 
mula/circuit.  2)  Obtain  the  NNF  form  from  the  given  circuit  by  introducing  new 
variables.  3)  Obtain  the  hpgraph  and  vpgraph  from  the  NNF  form.  4)  Set  up  all 
data  structures  that  are  to  be  used  in  the  main  DPLL  algorithm.  5)  Perform  top 
level  Boolean  constraint  propagation  (without  making  any  decisions).  Figure  4.18 
compares  the  time  taken  by  the  frontend  (y-axis)  with  the  total  number  of  AND 
gates  in  the  input  AIG  circuit  (x-axis).  It  can  be  seen  that  the  frontend  scales 
polynomially  with  the  input  size.  In  particular,  there  is  no  blowup  involved  in 
constructing  hpgraph  and  vpgraph. 

The  DPLL  time  denotes  the  time  taken  by  the  actual  DPLL  algorithm.  It  is  ob¬ 
tained  by  subtracting  the  frontend  time  from  the  total  time.  Figure  4.19  compares 
the  time  taken  by  the  frontend  (x-axis)  to  the  DPLL  time  (y-axis).  The  frontend 
time  exceeds  the  time  taken  by  DPLL  algorithm  on  many  benchmarks.  However, 
the  frontend  time  is  less  than  ten  seconds  for  the  majority  of  cases. 

4.11  Chapter  Summary 

We  presented  a  DPLL  based  SAT  solver  that  operates  on  the  graph  based  repre¬ 
sentations  of  NNF  formulas.  The  hpgraph  encodes  the  CNF  form  of  a  given  NNF 
formula,  while  the  vpgraph  encodes  the  DNF  form  of  the  given  NNF  formula. 
The  key  step  in  the  DPLL  algorithm  is  Boolean  constraint  propagation  (BCP).  We 
generalize  the  idea  of  two-watched  literal  scheme  from  CNF  SAT  solvers  in  order 
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to  efficiently  carry  out  BCP  on  hpgraph.  In  our  algorithm  two  cuts  are  watched 
for  each  hpgraph  component.  The  watched  cuts  are  used  to  detect  conflicts  and 
implied  literals.  We  use  the  duality  between  the  cuts  in  a  hpgraph  and  the  paths  in 
a  vpgraph  for  efficiently  updating  the  cuts.  Experimental  results  show  that  the  new 
SAT  solver  is  faster  than  the  state-of-the-art  solvers  on  majority  of  the  benchmarks 
and  is  competitive  in  terms  of  the  number  of  problems  solved. 
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Figure  4.10:  Scatter  plot  comparing  the  run  times  of  NFLSAT  and  RSAT. 
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Figure  4.11:  Scatter  plot  comparing  the  run  times  of  NFLS  AT  and  PicoSAT. 
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Figure  4.12:  Scatter  plot  comparing  the  run  times  of  NFLSAT  and  MiniSAT. 
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Figure  4. 13:  Scatter  plot  comparing  the  run  times  of  NFLSAT  and  MiniS AT++. 
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Figure  4. 14:  Scatter  plot  comparing  the  run  times  of  NFLSAT  and  PicoaigerSAT. 
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Figure  4.15:  Scatter  plot  comparing  the  run  times  of  NFLSAT  and  MiniS AT++  on 
K- induction  benchmarks. 
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MiniSAT++  (seconds) 

Figure  4.16:  Scatter  plot  comparing  the  run  times  of  NFLSAT  and  MiniSAT++  on 
BMC  benchmarks. 
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Figure  4.17:  Scatter  plot  comparing  the  run  times  of  NFLSAT  and  MiniS AT++  on 
SAT- 2007  AIG  benchmarks. 
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Number  of  AND  Gates 

Figure  4.18:  The  frontend  time  as  a  function  of  circuit  size  (measured  in  number 
of  AND  gates). 
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Frontend  time  (seconds) 

Figure  4.19:  Frontend  time  and  the  time  spent  in  the  DPLL  algorithm. 
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Chapter  5 


Techniques  for  Word-Level 
Verification 


In  the  software  domain,  one  of  the  successful  abstraction  technique  for  large  sys¬ 
tems  is  predicate  abstraction  [85].  It  abstracts  data  by  only  keeping  track  of  cer¬ 
tain  predicates  on  the  data.  Each  predicate  is  represented  by  a  Boolean  variable  in 
the  abstract  program,  while  the  original  data  variables  are  eliminated.  Predicate 
abstraction  of  ANSI-C  programs  in  combination  with  counterexample  guided  ab¬ 
straction  refinement  was  introduced  by  Ball  and  Rajamani  [34,  33]  and  promoted 
by  the  success  of  the  SLAM  project.  The  goal  of  this  project  is  to  verify  that 
Windows  device  drivers  obey  API  conventions.  The  abstraction  of  the  program 
[37,  35]  is  computed  using  a  theorem  prover  such  as  Simplify  [73]  or  Zapato  [36]. 

In  this  work  we  use  predicate  abstraction  for  verifying  hardware  designs.  Pred¬ 
icate  abstraction  is  only  effective  if  the  predicates  can  cover  the  relationship  be¬ 
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tween  registers  (multiple  latches).  This  typically  requires  a  word-level  model 
given  at  the  RT-level  of  a  hardware  description  language.  RT-level  models  are 
similar  to  programs  written  in  a  programming  language,  such  as  ANSI-C.  We 
apply  predicate  abstraction  to  word-level  models  given  in  RTL  Verilog. 

Many  software  verification  tools  use  theorem  provers  for  computing  the  predi¬ 
cate  abstraction.  Theorem  provers  typically  model  the  variables  using  unbounded 
integer  numbers.  Overflow  and  bit-wise  operators  are  not  modeled.  However, 
hardware  description  languages  like  Verilog  provide  an  extensive  set  of  bit-wise 
operators.  For  hardware  designs,  the  use  of  these  bit-level  constructs  is  ubiqui¬ 
tous.  As  in  [103,  59,  90,  62],  we  use  a  bit-level  SAT  solver  to  compute  the  abstract 
transition  relation.  This  allows  us  to  precisely  model  the  bit- vector  semantics  of 
hardware  designs  during  abstraction  computation. 

We  view  our  technique  as  a  word-level  verification  technique  because  of  the 
following:  1)  the  predicates  that  are  used  for  computing  the  predicate  abstraction 
are  at  the  word-level  1 ,  and  2)  the  use  of  a  bit-level  SAT  solver  as  a  decision 
procedure  can  be  replaced  by  a  word-level  solver.  However,  existing  word-level 
solvers  for  hardware  description  languages  are  not  always  competitive  with  bit- 
level  SAT  solvers. 


1  If  needed  bit-level  predicates  can  be  used  as  well.  For  example,  a  predicate  of  the  form  rg  [2] 
is  allowed  where  rg  is  a  register  and  rg  [  2  ]  refers  to  the  second  bit  in  rg. 
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Spurious  prefix 


Spurious 

transition 


Figure  5.1:  A  spurious  counterexample. 

5.1  Contributions 

This  thesis  applies  predicate  abstraction  and  refinement  for  verifying  circuits  given 
in  Verilog  RTL.  Two  problems  arise  when  applying  predicate  abstraction  to  cir¬ 
cuits:  1)  The  computation  of  the  abstract  model  in  presence  of  a  large  number 
of  predicates,  and  2)  discovery  of  suitable  word-level  predicates  for  abstraction 
refinement. 

In  order  to  address  the  first  problem,  we  divide  the  set  of  predicates  into  clus¬ 
ters  of  related  predicates.  The  abstraction  is  computed  separately  with  respect  to 
the  predicates  in  each  cluster.  Since  each  cluster  contains  only  a  small  number  of 
predicates,  the  computation  of  the  abstraction  becomes  more  efficient.  We  refer 
to  this  technique  as  predicate  clustering.  It  allows  us  to  tune  the  abstraction  step 
between  the  two  extremes  of  eager  abstraction  [59]  and  lazy  abstraction  [88]  .  The 
eager  technique  refers  to  the  case  where  all  predicates  are  within  a  single  cluster, 
while  lazy  abstraction  corresponds  to  the  case  in  which  many  clusters  of  small 
cardinality  (size)  are  used  for  computing  the  abstraction. 

When  refining  the  abstract  model  using  a  spurious  counterexample,  we  dis¬ 
tinguish  between  two  cases  of  spurious  behavior  [63]:  Spurious  transitions  are 
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abstract  transitions  that  do  not  have  any  corresponding  concrete  transitions.  By 
definition,  spurious  transitions  cannot  appear  in  the  most  precise  predicate  ab¬ 
straction,  which  is  computed  by  the  eager  approach.  However,  predicate  clustering 
usually  produces  coarse  abstractions,  which  can  give  rise  to  spurious  transitions. 
Spurious  prefixes  are  prefixes  of  the  spurious  counterexample  that  do  not  have 
a  corresponding  concrete  path.  This  happens  when  the  set  of  predicates  is  not 
rich  enough  to  capture  the  relevant  behaviors  of  the  concrete  system,  even  for  the 
most  precise  abstraction.  Fig.  5.1  shows  a  spurious  counterexample  containing  a 
spurious  transition  and  a  spurious  prefix. 

When  a  spurious  counterexample  is  encountered,  we  first  check  whether  each 
transition  in  the  counterexample  can  be  simulated  on  the  original  program.  This 
is  done  by  creating  a  SAT  instance  for  the  simulation  of  each  abstract  transition. 
If  the  SAT  instance  for  an  abstract  transition  is  unsatisfiable,  then  the  abstract 
transition  is  spurious.  In  this  case,  we  refine  the  abstraction  by  adding  constraints 
on  the  abstract  transition  relation  that  eliminate  the  spurious  transition.  We  make 
use  of  the  proof  of  unsatisfiability  of  the  SAT  instance  to  identify  a  small  subset 
of  the  existing  predicates  that  are  causing  the  transition  to  be  spurious.  The  fewer 
predicates  that  are  found,  the  more  spurious  transitions  that  are  eliminated  in  one 
step.  The  abstract  transitions  in  a  spurious  counterexample  can  be  examined  in 
any  order. 

When  all  SAT  instances  for  the  simulation  of  abstract  transitions  are  satisfi- 
able,  it  means  that  none  of  the  abstract  transitions  is  spurious  due  to  the  cluster¬ 
ing.  The  immediate  conclusion  then  is  that  the  spurious  counterexample  is  caused 
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Figure  5.2:  Abstraction-refinement  loop  in  this  work. 

because  the  predicates  used  for  computing  the  abstraction  were  insufficient.  For 
this  case,  we  use  the  idea  of  weakest  precondition  from  software  model  check¬ 
ing  [119,  33].  We  compute  the  weakest  precondition  of  the  property  (or  existing 
predicates)  with  respect  to  the  transition  function  given  by  the  circuit  to  obtain 
new  word-level  predicates.  We  present  a  technique  to  avoid  the  blowup  in  the 
size  of  weakest  preconditions  when  computing  the  predicates.  The  use  of  weakest 
preconditions  provides  a  good  heuristic  for  finding  the  predicates  for  refinement. 
However,  there  is  no  theoretical  guarantee  that  the  abstraction  refinement  loop 
will  make  progress  with  the  addition  of  new  predicates2.  The  overall  flow  of  the 
various  techniques  described  above  is  shown  in  Fig.  5.2. 

We  describe  our  modeling  of  a  circuit  in  Section  5.2.  Section  5.3  describes 
SAT-based  predicate  abstraction  with  the  help  of  an  example.  Techniques  for 
clustering  the  given  set  of  predicates  are  presented  in  Section  5.4.  We  describe 
techniques  for  abstraction-refinement  in  Section  5.5. 

2In  principle  this  problem  can  be  solved  by  allowing  predicates  with  universally  quantified 
input  variables  or  indexed  predicates  [104]. 
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module  main  (elk); 

input  elk  ; 

reg  [7:0]  x,y; 

initial  x  =  1 ; 
initial  y  =  0; 

always  @  (posedge  elk)  begin 

y  <=x; 

if  (x<  100)  x<=y+x ; 

end 

endmodule 


Figure  5.3:  A  Verilog  program  used  as  running  example. 


5.2  Word-Level  Transition  Functions 


Let  { r  [ . . . . .  rn }  denote  the  set  of  registers  in  a  given  Verilog  program.  For 

example,  the  state  of  the  Verilog  program  in  Fig.  5.3  is  defined  by  the  value  of  the 
registers  x  and  y,  and  each  of  them  has  a  storage  capacity  of  8  bits.  Let  S  denote 
the  set  of  states  for  a  given  Verilog  program. 

We  treat  external  inputs  like  registers  without  a  next-state  function.  Let  Q  C 
denote  the  set  of  registers  that  are  not  external  inputs,  i.e.,  have  a  next-state 
function.  We  denote  the  next-state  function  of  a  word-level  register  r\  £  Q  by 
. . .  ,r„),  or  /)(r)  using  vector  notation,  where  r  =  (ri, . . .  ,r„).  We  use  the 
word-level  next-state  functions  /,-,  to  define  the  transition  relation  R(  f,  TJ).  The 
transition  relation  relates  the  current  state  r  £  S  to  the  next  state  ?'  £  S  and  is 
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defined  as  follows: 


R(p,r)  :=  /\(^  =  /(-(f)) 

neQ, 

Example  17  Consider  the  Verilog  program  in  Fig.  5.3.  The  next-state  function 
for  the  register  x  is  given  as  follows:  if  the  value  of  x  in  the  current  state  is  less 
than  100,  then  the  value  of  x  in  the  next  state  is  equal  to  the  sum  of  current  values 
of  x  and  y,  that  is  x  +  y.  If  the  value  of  x  is  greater  than  or  equal  to  100,  then 
the  value  of  x  in  the  next  state  remains  unchanged.  The  value  of  y  in  the  next 
state  is  equal  to  the  value  of  x  in  the  current  state.  We  use  the  ternary  choice 
operator  c?g  :  h  to  denote  a  function  that  evaluates  to  g  when  the  condition  c  is 
true,  otherwise  it  evaluates  to  h.  We  denote  the  next-state  functions  of  x  and  y  as 
/v(x,y)  and  /v(x,y),  respectively,  and  the  transition  relation  as  R(x,y,x'  ,yr). 

fx(x,y)  :=  ((x  <  100)?  (x  +  y)  :  x) 

fy{x,y)  :=  x 

R(x,y,x,y  )  :=  (x  =  ((x  <  100)  ?  (x  +  y)  :  x))A(y'  =  x) 

In  a  netlist  level  representation  there  is  a  next-state  function  for  each  bit  in  the 
registers  x,  y.  In  contrast,  we  have  a  next-state  function  for  the  whole  registers 
x ,  y  and  not  for  the  individual  bits  of  x ,  y .  We  represent  the  circuit  using  register- 
level  or  word-level  next-state  functions. 

Example  18  Consider  the  Verilog  program  in  Fig.  5.3.  We  wish  to  show  that 
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Figure  5.4:  The  value  of  x  and  y  in  different  states 


the  value  of  x  is  always  less  than  200.  Intuitively,  the  property  holds  because 
the  value  of  x  follows  a  sequence  starting  from  1  to  144.  Upon  reaching  the  value 
144,  the  guard  in  the  next-state  function  for  x  becomes  false,  and  its  value  remains 
unchanged.  The  values  of  x  and  y  in  each  state  are  shown  in  Fig.  5.4. 

We  follow  the  counterexample  guided  abstraction  refinement  (CEGAR)  frame¬ 
work  in  order  to  prove  or  disprove  a  given  property.  The  first  step  of  the  CEGAR 
loop  is  to  obtain  an  abstraction  of  the  given  program. 

5.3  Predicate  Abstraction 

In  predicate  abstraction  [85],  the  variables  of  the  concrete  program  are  replaced 
by  Boolean  variables  that  correspond  to  predicates  on  the  variables  in  the  concrete 
program.  These  predicates  are  functions  that  map  a  concrete  state  r  e  S  into  a 
Boolean  value.  Let  B  =  {tCi  , . . .  ,7tk}  be  the  set  of  predicates.  When  applying  all 
predicates  to  a  specific  concrete  state,  one  obtains  a  vector  of  Boolean  values, 
which  represents  an  abstract  state  b.  We  denote  this  function  by  a (r).  It  maps  a 
concrete  state  into  an  abstract  state  and  is  therefore  called  an  abstraction  function. 

We  perform  an  existential  abstraction  [57],  i.e.,  the  abstract  model  can  make 
a  transition  from  an  abstract  state  b  to  //  iff  there  is  a  transition  from  r  to  ?'  in 
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the  concrete  model  and  r  is  abstracted  to  b  and  r'  is  abstracted  to  b' .  We  call  the 
abstract  machine  T ,  and  we  denote  the  transition  relation  of  7  by  R.  Formally: 

R  {{b,b')  |  3r,  ?'  G  S  :  a(r)  =  b  A  R(r,  ?')  A  a (r')=b'}  (5-1) 

We  refer  to  a  set  and  its  Boolean  representation  interchangeably.  For  example,  in 
the  above  equation  R  denotes  a  set  of  abstract  transitions.  A  Boolean  (character¬ 
istic)  function  representing  this  set  is  denoted  as  R(b,b'). 

The  initial  set  of  states  7(f)  is  abstracted  as  follows: 

1(b)  :=  3r  G  S :  (a(r)  =  b  )  A  7(f) 

The  abstraction  of  a  safety  property  P{?)  is  defined  as  follows:  for  the  property  to 
hold  on  an  abstract  state  b ,  the  property  must  hold  on  all  states  r  that  are  abstracted 
to  b. 


P(b)  Vr  G  S  :  (a(r)  =  b)  =>  P(r) 

Thus,  if  P  holds  on  all  reachable  states  of  the  abstract  model,  P  also  holds  on  all 
reachable  states  of  the  concrete  model. 

The  techniques  described  in  this  chapter  can  be  used  to  check  any  LTL  [58] 
safety  property.  This  is  because  the  spurious  counterexamples  for  LTL  safety 
properties  are  always  finite  acyclic  paths  [65].  Such  spurious  counterexamples  can 
be  removed  during  the  refinement  phase  (Section  5.5).  Predicate  abstraction  can 
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also  be  used  to  verify  an  arbitrary  LTL  property,  including  liveness  properties,  if 
the  transition  relation  is  total.  However,  this  requires  removal  of  counterexamples 
containing  loops  and  is  left  for  future  research. 


SAT-based  Predicate  Abstraction 

In  [59],  the  authors  propose  to  use  a  SAT  solver  to  compute  the  abstraction  of  a 
sequential  ANSI-C  program.  This  approach  supports  all  ANSI-C  integer  opera¬ 
tors,  including  the  bit-vector  operators.  We  use  a  similar  technique  for  computing 
the  abstraction  of  Verilog  programs. 

A  symbolic  variable  b,  is  associated  with  each  predicate  n Each  concrete 
stater  =  (ri,...,r„)  maps  to  an  abstract  state  b  =  (bi, ...  ,bk),  where  Z?,-  =  7l,-(f).  If 
the  concrete  machine  makes  a  transition  from  state  r  to  state  ?'  —  (r[ , . . . ,  r'n),  then 
the  abstract  machine  makes  a  transition  from  state  b  to  b'  —  (b\ , . . . ,  b'k ) ,  where 
b\  —  7 ti(r').  We  refer  to  as  a  current-state  predicate  and  7 ti-(r/)  as  a  next- 
state  predicate.  For  example,  if  x  —  v  denotes  a  current-state  predicate,  then  its 
next-state  version  is  x!  =  y' . 

The  formula  that  is  passed  to  the  SAT  solver  directly  follows  from  the  defini¬ 
tion  of  the  abstract  transition  relation  R  as  given  in  equation  5.1: 

R  :=  {(b,b')\3r,r  :  r(r,r,b,b')}  ,  where  (5.2) 
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k  k 

r  (r,r,b,bf)  :=  /\  bt  —  7C/(r)  AR(r,r)  A  f\  b\  =  7C/(r') 

!=1  7=1 

The  set  of  abstract  transitions  ^  is  computed  by  transforming  r(r,r' ,b,b')  into 
conjunctive  normal  form  (CNF)  and  passing  the  resulting  formula  to  a  SAT  solver. 

Suppose  the  SAT  solver  returns  r,  r' ,b,  b'  as  the  satisfying  assignment.  We  project 
out  all  variables  but  b  and  b'  from  this  satisfying  assignment  to  obtain  one  abstract 
transition  (b.  //).  Since  we  want  all  the  abstract  transitions,  we  add  a  blocking 
clause  to  the  SAT  equation  that  eliminates  all  satisfying  assignments  that  assign 
the  same  values  to  b  and  b',  and  re-start  the  solver.  This  process  is  continued  until 
the  SAT  formula  becomes  unsatisfiable.  The  disjunction  of  abstract  transitions 
obtained  gives  us  the  abstract  transition  relation  R. 

Example  19  Let  the  transition  relation  R(x,y, x',y')  be  x'  =  y  Ay'  =  v.  Let  the  set 
of  predicates  be  {x  —  l,y  =  1}.  The  equation  for  computing  R  is  given  as  follows: 

3x,y,x',y’ :  (bi  o  (x  =  1))  A  {b2  (y  =  1))  A 
R(x,y,x',y')  A  (b\  ^  (xf  =  1))  A  (b'2  (/  =  1)) 

The  set  of  satisfying  assignments  to  the  above  equation  results  in  R(bi:b2,b[:b'2) 
as  ((b'1ob2)  A  (b'2^b\)). 

The  predicates  used  for  abstraction  can  be  arbitrary  Boolean  expressions  al¬ 
lowed  by  the  Verilog  syntax.  Thus,  the  predicates  can  involve  operators  for  con¬ 
catenation,  extraction,  etc.  For  example,  a  [3  :  0  ]  >7,  ram  [{addr,  1 '  b  0  }  ]  ==d  [9:2] 
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are  allowed  as  predicates.  Predicates  can  refer  to  individual  bits  in  a  register.  For 
example,  rg  [  i  ]  is  a  valid  predicate,  where  rg  is  a  register  and  i  is  an  index. 

The  set  of  abstract  initial  states  can  be  enumerated  using  a  SAT  solver  in  a 
similar  manner. 


5.4  Predicate  Clustering 

We  call  the  computation  of  the  exact  existential  abstraction  as  described  in  the 
previous  section  the  Eager  Approach.  A  single  abstract  transition  relation  is  com¬ 
puted  using  all  the  available  predicates.  In  the  worst  case,  the  number  of  satisfying 
assignments  generated  from  Eqn.  5.2  is  exponential  in  the  number  of  predicates. 
In  practice,  computing  abstractions  using  the  eager  approach  can  be  very  slow 
even  for  a  small  number  of  predicates. 

The  speed  of  the  abstraction  step  can  be  increased  if  we  do  not  aim  at  the 
most  precise  abstract  transition  relation.  That  is,  we  allow  our  abstraction  to  be 
an  over-approximation  of  the  abstract  transition  relation  generated  by  the  eager 
approach.  Software  predicate  abstraction  tools  abstract  the  individual  statements 
or  basic  blocks  separately.  As  only  a  small  number  of  predicates  are  typically 
affected  at  each  statement  or  basic  block,  simple  heuristics  can  be  used  to  compute 
the  abstraction  quickly.  The  SLAM  toolkit,  for  example,  limits  the  number  of 
predicates  in  each  theorem  prover  query.  In  contrast,  each  transition  in  a  RT- 
level  circuit  consists  of  simultaneous  assignments  to  all  registers.  All  predicates 
might  change  their  value  in  each  transition  of  the  circuit.  Thus,  more  sophisticated 
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techniques  are  needed  to  compute  the  predicate  abstraction  of  circuits  efficiently. 

Our  solution  to  the  above  problem  is  as  follows:  the  set  of  predicates  and  their 
next-state  versions  is  clustered  into  smaller  sets  of  related  predicates.  We  call 
these  sets  clusters,  and  denote  them  by  C\ , . . . ,  C/,  with  Cj  C  {714 , . . . ,  nk,  , . . . ,  %'k\ 
Note  that  we  do  not  require  the  clusters  to  be  disjoint,  that  is,  they  can  have  com¬ 
mon  predicates.  We  abstract  the  transition  system  with  respect  to  each  cluster 
Cj, . . .  ,C/.  This  results  in  a  total  of  /  abstract  transition  relations  R\,...,Ri,  which 
are  conjoined  to  form  R: 

1 

R  :=  /\R,  (5.3) 

i=l 

The  equation  for  abstracting  the  transition  system  with  respect  to  Cj  is  given 
as  follows: 

Rj  :=  3r,  r  :  f\  bt  =  71/ (r)  A  R(r,r  )  A  f\  b't  =  7 l/(r') 

Kfj£zCj 

The  satisfying  assignments  to  the  above  equation  correspond  to  the  abstract 
transition  relation  Rj.  The  number  of  satisfying  assignments  to  the  above  equation 
is  limited  by  the  size  of  cluster  Cj,  that  is,  2  ci  I .  Clearly,  by  limiting  the  size  of  Cj, 
we  can  compute  the  abstract  transition  relations  much  faster  as  compared  to  the 
eager  approach. 

We  refer  to  the  above  technique  of  generating  smaller  clusters  from  a  given  set 
of  predicates,  and  using  these  clusters  for  computing  the  abstraction  R,  as  predi- 
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cate  clustering. 


Proposition  1  If  Q  denotes  the  abstract  transition  relation  obtained  by  using  the 
eager  approach  (Eqn.  5.2),  and  R  denotes  the  abstract  transition  relation  obtained 
by  predicate  clustering  (Eqn.  5.3),  then  Q  =>■  R  or  Q  C  R  using  set  notation. 


Proof.  Let  the  set  of  predicates  be  Pr.  Q  denotes  the  abstraction  with  respect  to 
Pr.  From  Eqn.  5.3,  R  =  /\lj=  \  Rj,  where  Rj  denotes  the  abstraction  with  respect 
to  a  cluster  Cj  and  C7  C  Pr.  The  above  claim  is  proved  by  showing  that  for  all 

/V  A,  /V  /V  /V  /V 

!<;</,  Q  =>■  Rj  or  Q  C  Rj  using  set  notation.  We  will  treat  Q  and  Rj  as  sets  of 
abstract  transitions  and  show  that  Q  C  Rj.  We  rewrite  the  definitions  of  Q  and  Rj 
as  follows: 


Q  {{b,b')  |  3 r, /  :  8(r,/ ,b,b' ,Pr)} 

Rj  :=  { (b,br)  |  3r,r'  :  8(r,7,b,F,Cj)} 

where  h(r,r' ,b,b' ,Z)  relates  concrete  states  f.  TJ ,  and  abstract  states  b.V  with  re¬ 
spect  to  a  set  of  predicates  Z. 

8(r,f/ ,b,br  ,Z)  :=  /\  bj  =  7t((r)  AR(r,r)  A  /\  Z?-  =  nfr) 

Kiez  Tt'ez 

If  Z2  C  Z\  holds,  then8(r,r/,^,^/,Zi)  is  equivalent  to  §(r,r'  ,b,b'  ^2)  /\h(r,r'  ,b,V  ,Z\\Zf). 
Thus,  if  8(r,  r1  fbfb'  ,Zi),  then  8(r,  ?'  ,b,V  ,Zf)  holds.  If  an  abstract  transition  (d,dr)  e 
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Q.  then  there  exist  two  concrete  states  x.x'  such  that  8 (x,x',d,a',Pr)  holds.  Since 
Cj  C  Pr,  it  follows  from  the  above  that  8(x.x'.  a.  a'.  Cj)  holds.  Thus,  3 r,  r'  :  8(f,  TJ .  a,  a',Cj) 
holds  and  (a, a')  G  Rj.  This  shows  Q  C  Rj.  As  Q  C  Rj  for  all  1  <  j  <  l  and 
R  =  H jRj,  it  follows  that  Q^R.  □ 

We  discuss  techniques  for  creating  predicate  clusters  next.  Let  var(e)  denote 
the  set  of  variables  (state  elements  and  inputs)  appearing  in  an  expression  e.  For 
example,  var(x'  +/  <  200)  is  {Y ,/}.  If  e  contains  combinational  elements,  we 
replace  them  by  their  definition  in  terms  of  state  elements  and  inputs  before  com¬ 
puting  var(e). 

Clarke  et  al.  [55]  call  two  formulas  g\  and  gn  interfering  iff  var(g\ )  C\var{g2)  / 

0.  The  authors  use  the  notion  of  interference  to  partition  a  set  of  formulas  into  var¬ 
ious  formula  clusters.  This  technique  can  be  used  for  clustering  the  set  of  predi¬ 
cates  as  well.  However,  our  early  unreported  experiments  indicate  that  this  results 
in  clusters  that  are  too  large.  Thus,  we  make  the  conditions  for  keeping  the  two 
predicates  together  stronger,  which  leads  to  a  smaller  number  of  predicates  per 
cluster.  We  evaluate  two  different  techniques  for  creating  predicate  clusters  used 
in  predicate  clustering,  cone  clustering  and  clustering  for  lazy  abstraction. 

5.4.1  Syntactic  Cone  Clustering 

This  technique  clusters  next  state  predicates  with  current  state  predicates  that  are 
related  to  each  other.  In  order  to  identify  when  a  next-state  predicate  is  related  to 
a  current-state  predicate  we  use  cone  of  influence  computation  [58]. 
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Given  a  formula  g'  in  terms  of  next-state  variables  TJ .  the  current  state  vari¬ 
ables  r  that  affect  the  value  of  the  variables  in  var(g')  are  denoted  by  cone(g'). 
It  is  defined  as  follows:  The  variables  in  the  next-state  functions  for  the  registers 
mentioned  in  g'  form  the  cone  of  g' .  Recall  that  the  set  of  registers  is  denoted  by 
Q,  The  next-state  function  of  a  particular  register  r,  e  Q,  is  given  by  /,  (r). 

cone(g')  :=  |J  var(fi(r)) 

r 'evar(g' )  A  r,GQ, 

The  value  of  g'  in  a  given  state  depends  only  on  the  values  of  variables  in  cone(g') 
in  the  previous  state. 


Example  20  Let  g'  be  a'  <  b' .  Let  the  next-state  functions  for  a'  ,b'  be  x  +  b,  c, 
respectively.  Here,  var(g')  =  {a',b'}  and  cone(g')  —  {x,  b,  c}.  Given  the  values  of 
x,  b.  c  in  a  state  the  value  of  the  predicate  a  <  b  in  the  next  state,  that  is,  the  value  of 
a!  <  b'  is  x  +  b  <  c.  Thus,  we  would  like  to  keep  the  current  state  predicates  over 
variables  {x,b,c}  and  the  next  state  predicate  a'  <  b'  in  the  same  cluster.  This 
allows  the  value  of  the  predicate  a'  <  b'  to  be  tracked  precisely  in  the  abstract 
model. 

Let  the  set  of  predicates  and  their  next-state  versions  {tci  , .7lk,7l\ .... .  n'k) 
be  C.  The  clusters  of  C  are  created  by  the  following  two  steps: 

1.  The  next-state  predicates  that  have  identical  cone  sets  are  kept  in  a  single 
cluster.  Intuitively,  these  predicates  depend  on  exactly  the  same  set  of  vari- 
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ables  from  the  previous  state  and  hence,  are  related  to  each  other.  That  is, 
if  cone( %/)  =  cone(7i/),  then  %/  and  k/  are  kept  in  the  same  cluster.  Let 
C[, . . .  ,Cj  be  the  clusters  of  {%\ , . . . , n'k }  obtained  after  this  step.  Since  all 
the  predicates  in  a  given  cluster  C\  have  the  same  cone,  we  define  coneiC-  ) 
as  the  cone  of  any  element  in  C-. 

2.  The  final  set  of  clusters  is  given  by  {Ci, . . .  ,C/}.  Each  C,  contains  all  the 
next-state  predicates  from  C\  and  the  current-state  predicates  that  mention 
variables  in  the  cone  of  C\.  Formally,  C,  is  defined  as  follows: 

Ci  :=  C[  U  {Tty  j  var(Tij)  C  cone(C\)} 

Example  21  Let  the  transition  relation  R(x. y,  z, x',y',z')  be  x'  —  y  A y'  —  x  A z!  —  x. 
Let  the  set  of  predicates  be  {x  =  2,  y  —  1 ,  z  >  3,x'  =  2,  y'  —  1 ,  z!  >  3}.  The  cone  sets 
for  the  next-state  predicates  x1  =  2 ,y'  =  1  ,z'  >  3  are  {)’},  { .v } ,  {.v} ,  respectively. 
After  the  first  step  of  the  clustering,  the  clusters  are  C\  :=  {x'  =  2}  and  C'2  := 
{y'  =  1  .z'  >  3}.  Even  though  y'  —  1  and  z!  >  3  do  not  share  a  common  set  of 
variables  they  are  kept  in  the  same  cluster,  as  they  have  the  identical  cone  set  { _v } . 

Since  cone(C[)  :=  {y}  and  c(me{C'2)  :=  {.v} ,  the  clusters  obtained  after  the 
second  step  of  the  clustering  are  Ci  :=  {y  =  \,x'  —  2}  and  C2  :=  {x  =  2,y'  = 
1  .z'  >  3}.  Observe  how  the  predicates  in  a  given  cluster  affect  each  other.  For 
example,  in  C2,  if  x  —  2  is  true,  then  we  know  that  y'  —  1  and  z'  >  3  will  be  false 
(as  y'  and  z'  equal  x).  If  x  —  2  is  false,  then  y'  =  1  can  be  either  true  or  false  and 
z!  >  3  can  be  either  true  or  false.  However,  both  y'  =  1  and  z'  >  3  cannot  be  true 
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together. 


Since  cone  clustering  attempts  to  keep  all  related  predicates  together,  the  ab¬ 
stractions  produced  are  not  much  coarser  than  those  produced  by  the  eager  ap¬ 
proach.  However,  in  general  there  is  no  bound  on  the  number  of  predicates  in  a 
given  cluster.  In  the  worst  case  there  might  be  a  cluster  containing  most  of  the 
current-state  and  next-state  predicates. 

5.4.2  Syntactic  Clustering  for  Lazy  Abstraction 

The  idea  of  lazy  abstraction  [88]  is  to  start  with  a  coarse  initial  abstract  model 
which  is  refined  on-demand  as  required  by  spurious  counterexamples.  Since  a 
coarse  abstract  model  is  computed  the  abstraction  step  is  usually  very  fast.  This 
prevents  the  abstraction  step  from  becoming  a  bottleneck  when  computing  the 
abstraction  of  large  circuits  or  when  a  large  number  of  predicates  are  available  for 
abstraction. 

A  completely  lazy  abstraction  corresponds  to  using  no  predicate  clusters.  Thus, 
the  initial  abstraction  is  simply  true.  We  follow  a  variant  of  this  technique:  all 
current-state  predicates  that  contain  the  same  set  of  variables  are  kept  in  the  same 
cluster.  That  is,  if  varfa)  =  var(itj ),  then  Hi  and  7 lj  are  kept  in  the  same  cluster. 
This  is  useful  if  the  given  set  of  predicates  contains  many  mutually  exclusive  (or 
related)  predicates  such  as  x  =  l,x  —  2,x  >  2.  Keeping  these  predicates  in  separate 
clusters  results  in  an  abstract  model  that  does  not  keep  track  of  the  relationships 
between  the  predicates  x  —  l,x  =  2,x  >  2.  Such  an  abstract  model  can  contain  a 
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large  number  of  spurious  abstract  states,  such  as  an  abstract  state  in  which  both 
x  =  1  and  x  =  2  are  true. 

The  next-state  predicates  are  not  used  in  the  clusters.  Thus,  the  abstraction 
produced  only  contains  predicate  relationships  that  hold  in  each  abstract  state  (not 
between  states).  If  needed  the  relationships  between  current-state  and  next-state 
predicates  is  discovered  lazily  using  refinement  (Section  5.5). 

Example  22  Let  the  set  of  current-state  predicates  be  {x  <2,x  —  1  ,y  =  1  ,z>  1}. 
The  clusters  produced  for  lazy  abstraction  are  C\  :=  (jc  <  2,x=  1},  C2  :=  (y  =  1}, 
and  C3  :=  {z  >  1}. 

In  this  example  let  the  next  state  function  of  y  be  equal  to  x  (that  is  y1  :=  x). 
The  predicates  involving  x  and  y'  are  not  present  together  in  any  cluster.  Thus,  the 
abstract  model  generated  using  lazy  abstraction  allows  an  abstract  transition  from 
a  state  where  x  =  1  to  a  state  where  y  /  1 .  This  is  a  spurious  abstract  transition 
because  the  value  of  y  =  1  in  the  next-state  must  be  equal  the  value  of  x  —  1  in 
the  previous  state.  This  fact  would  be  tracked  in  the  most  precise  abstraction  and 
abstraction  computed  using  cone  clustering  as  the  predicates  x  =  l,y'  =  1  are  kept 
together  in  a  same  cluster. 

Once  the  abstraction  of  the  concrete  system  is  obtained,  we  model-check  it 
using  a  model-checker  for  finite  state  systems  like  SMV  [3,  11].  If  the  abstract 
model  satisfies  the  property,  the  property  also  holds  on  the  original,  concrete  cir¬ 
cuit.  If  the  model  checking  of  the  abstraction  fails,  we  obtain  a  counterexample 
from  the  model-checker.  In  order  to  check  if  an  abstract  counterexample  corre- 
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sponds  to  a  concrete  counterexample,  a  simulation  step  is  performed.  This  is  done 
using  bounded  model  checking  [42].  If  the  counterexample  cannot  be  simulated 
on  the  concrete  model,  it  is  called  a  spurious  counterexample.  Many  spurious 
counterexamples  arise  due  to  predicate  clustering.  The  elimination  of  spurious 
counterexamples  from  the  abstract  model  is  described  in  the  next  section. 


5.5  Abstraction  Refinement 

When  refining  the  abstract  model,  we  distinguish  between  two  cases  of  spurious 
behavior,  as  done  in  [63]: 

1.  Spurious  transitions  are  abstract  transitions  that  do  not  have  any  corre¬ 
sponding  concrete  transitions.  By  definition,  spurious  transitions  cannot 
appear  in  the  most  precise  abstraction,  which  is  computed  by  the  eager  ap¬ 
proach.  However,  as  we  noted  earlier,  computing  the  most  precise  abstract 
model  is  expensive  and  thus,  we  make  use  of  the  various  predicate  cluster¬ 
ing  techniques  which  can  result  in  a  coarse  abstraction.  This  can  result  in 
many  spurious  transitions. 

2.  Spurious  prefixes  are  prefixes  of  the  abstract  counterexample  that  do  not 
have  a  corresponding  concrete  path.  This  happens  when  the  set  of  predicates 
is  not  rich  enough  to  capture  the  relevant  behaviors  of  the  concrete  system, 
even  for  the  most  precise  abstraction. 
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Given  a  spurious  counterexample  we  first  check  if  any  transition  in  the  coun¬ 
terexample  is  spurious.  If  a  spurious  transition  is  found,  it  is  eliminated  from 
the  abstract  model  by  adding  a  constraint  to  the  abstract  model.  If  no  transition 
in  the  counterexample  is  spurious,  then  new  predicates  are  generated  in  order  to 
eliminate  a  spurious  prefix  in  the  counterexample.  We  treat  the  entire  spurious 
counterexample  as  a  spurious  prefix  and  do  not  find  the  shortest  spurious  prefix. 

An  abstract  counterexample  is  a  sequence  of  abstract  states  where 

each  abstract  state  s(j)  corresponds  to  a  valuation  of  the  k  predicates  JT  j .....  . 

The  value  of  n \  in  a  state  s  is  denoted  by  .sT(.  Given  an  abstract  state  s,  let  (3(s)  de¬ 
note  the  conjunction  of  predicates  (or  their  negation)  depending  upon  their  values 
in  s.  For  example,  let  ,sT  be  an  abstract  state  in  which  the  predicate  x  <  2  is  true  and 
the  predicate  .v  =  y  is  false.  Then  p(s)  =  a;  <  2  A  ->(x  =  y). 

k 

P(T)  -=  /\  Hi  Av-  Sj 
i=  1 

We  write  P(  J,  r)  to  denote  that  the  variables  in  [)(.sT)  refer  to  the  concrete  variables 
r. 


5.5.1  Detecting  and  Removing  Spurious  Transitions 

An  abstract  transition  from  s  to  t  is  a  spurious  transition  iff  there  are  no  concrete 
states  r.  ?'  such  that  r  is  abstracted  to  ,sT.  ?'  is  abstracted  to  t,  and  there  is  a  tran¬ 
sition  from  r  to  Formally,  the  abstract  transition  from  s  to  t  is  spurious  iff  the 
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following  formula  is  unsatisfiable: 


(3(5,  r)  A  R(r,r  )  A  (3 (?,/) 

The  equation  above  is  transformed  into  CNF  and  passed  to  a  SAT  solver.  If 
the  SAT  solver  detects  the  equation  to  be  satisfiable,  the  abstract  transition  can  be 
simulated  on  the  concrete  model.  Otherwise,  the  abstract  transition  is  spurious. 
In  this  case,  the  spurious  transition  can  be  removed  from  the  abstract  model  by 
adding  a  constraint  to  the  abstract  model. 

When  generating  the  CNF  instance  for  the  simulation  of  the  abstract  transition 
s  to  t,  we  store  the  mapping  of  each  predicate  7t,.  7t'  to  the  corresponding  literal 
lj  in  the  CNF  instance.  If  the  abstract  transition  is  spurious,  the  CNF  instance 
is  unsatisfiable.  In  this  case,  we  extract  an  unsatisfiable  core  [146]  from  the  given 
CNF  instance.  An  unsatisfiable  core  of  a  CNF  instance  is  a  subset  of  the  original 
set  of  clauses  that  is  also  unsatisfiable.  Current  state-of-the-art  SAT-solvers  are 
quite  effective  at  producing  small  unsatisfiable  cores,  if  they  exist. 

Let  us  denote  the  set  of  current-state  predicates  whose  corresponding  CNF 
literal  /,  appears  in  the  unsatisfiable  core  by  X.  We  have  a  similar  set  for  the  next- 
state  predicates,  which  we  call  Y.  Intuitively,  the  predicates  in  X  and  Y  taken 
together  are  sufficient  to  prove  that  the  abstract  transition  from  s  to  t  is  spurious. 
All  abstract  transitions  where  the  predicates  in  X  and  Y  have  the  same  truth  value 
as  given  by  the  states  s  and  t,  respectively,  are  spurious.  These  spurious  transitions 
are  eliminated  by  adding  a  constraint  to  the  abstract  model.  Let  bj  and  b\  be  the 
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variables  used  for  the  predicates  7t;  and  7t-  in  the  abstract  model.  The  constraint 
added  to  the  abstract  model  is  as  follows: 


f  /\  bj  <=>  ti 
feY 


Proposition  2  Every  abstract  transition  from  u  to  v  such  the  predicates  in  X  have 
the  same  value  in  u  and  s,  and  the  predicates  in  Y  have  the  same  value  in  v  and 
t,  is  spurious.  The  constraint  above  removes  cdl  of  these  spurious  transitions  from 
the  abstract  model. 

Example  23  Let  the  set  of  current-state  predicates  be  {x  <  2.x  —  1  ,y  =  \  ,z  > 
1}.  Consider  the  abstract  transition  from  s  =  {b\  —  1  .£>2  =  1,£>3  =  1,£>4  =  1}  to 
t  =  {b\  =0,b'2  =  0,b'3  —  0,b'4  =  0},  where  b\,  £>2,  £>3,  and  £>4  correspond  to  the 
predicates  x  <2,  x  —  \,y  =  \,  z>  l,  respectively.  Let  the  next-state  function  of 
y  be  x,  i.e.,  y'  =  x.  Observe  that  in  the  state  s,  x  —  1.  This  implies  that  y  —  1  in 
t  (as  C  =  x).  However,  If  is  false  in  t  and  thus,  the  abstract  transition  from  s  to  t 
is  spurious.  As  described  in  section  5.4.2,  the  abstract  transition  from  s  to  t  can 
arise  when  using  lazy  abstraction.  This  spurious  transition  can  be  eliminated  by 
adding  the  following  constraint  to  the  abstract  model  [69]:  ->(b \  A  £>2  A  £73  A  £>4  A 
~~ i£/|  A  — i£?2  A  b'3  A  “i b'f) . 

However,  the  constraint  above  removes  just  one  spurious  transition.  By  ex¬ 
amining  an  unsatisfiable  core,  we  can  make  the  constraint  more  general,  thereby 
eliminating  many  spurious  transitions  at  the  same  time.  In  this  example,  the  cause 


133 


of  the  spurious  behavior  is  bi  =  1,  and  //,  =  0.  The  unsatisfiable  core  technique 
described  above  is  capable  of  discovering  this  fact.  This  allows  us  to  eliminate 
the  abstract  transition  from  s  to  t  and  63  more  spurious  transitions  by  adding  the 
following  constraint  to  the  abstract  model:  ->(&2  A  ~'b,3).  It  is  very  important  to  re¬ 
move  as  many  spurious  transitions  as  possible  in  order  to  make  the  CEGAR  loop 
terminate  quickly. 


Semantic  Predicate  Clustering 

The  predicates  responsible  for  making  an  abstract  transition  spurious  can  be  treated 
as  a  predicate  cluster  C,  which  can  be  used  during  the  abstraction  step.  Suppose 
an  abstract  transition  from  s  to  F  is  spurious.  Let  C  denote  the  set  of  current-state 
and  next-state  predicates  responsible  for  this  spurious  transition  as  identified  by 
an  unsatisfiable  core.  As  described  above,  the  predicates  appearing  in  C  are  used 
to  remove  the  spurious  transition  from  s  to  t.  In  semantic  predicate  clustering, 
C  is  also  added  to  the  existing  set  of  predicate  clusters  and  is  used  to  compute 
the  abstraction  (Eqn.  5.3)  in  the  subsequent  iterations.  Intuitively,  the  predicates 
occurring  in  C  are  semantically  related  because  a  particular  assignment  of  truth 
values  to  the  predicates  in  C  (as  given  by  s,  t)  can  make  an  abstract  transition 
spurious.  Thus,  by  computing  all  possible  relationships  between  the  predicates  in 
C  (during  abstraction),  we  remove  all  abstract  transitions  that  are  spurious  due  to 
the  predicates  in  C. 
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Example  24  For  the  spurious  transition  in  the  example  above,  we  obtain  C  := 
{x  =  l,/=  1}.  The  predicates  in  C  are  used  to  eliminate  multiple  spurious  tran¬ 
sitions  by  adding  the  constraint  ->(£>2  A  -^3).  However,  even  after  adding  this 
constraint  the  abstract  model  allows  another  spurious  transition  from  a  state  u 
where  -i(jc  =  1)  to  a  state  v  where  y  =  1  (that  is,  y'  =  1).  In  semantic  predicate 
clustering  C  is  added  as  a  predicate  cluster.  The  abstraction  step  will  discover  that 
/?2  «=>  b'3  using  C.  Thus,  the  spurious  transition  from  u  to  v  cannot  arise. 

5.5.2  Detecting  and  Removing  Spurious  Prefixes 

An  abstract  counterexample  5(0), . . .  ,s(l )  of  length  /  is  a  spurious  prefix  iff  there 
is  no  concrete  execution  of  /  transitions  such  that  at  each  step  the  concrete  state 
is  consistent  with  the  corresponding  abstract  state.  More  formally,  let 
denote  the  concrete  state  variables  at  each  of  the  /  +  1  states.  The  initial  state  of 
the  concrete  system  is  denoted  as  7(ro). 

The  abstract  counterexample  5(0) , . . . ,  s(l)  is  a  spurious  prefix  iff  the  following 
formula  is  unsatisfiable: 

/-1  / 

7(fo)  A  / \R(ri,ri+i )  A  /\  P(s(0,  A') 

i= 0  i=0 

The  above  formula  is  unsatisfiable  iff  there  is  no  sequence  of  concrete  states 
fo, ...  .?i  such  that  f()  is  an  initial  state,  there  is  a  transition  from  r,  to  r;+i  for 
0  <  i  <  l,  and  the  predicate  values  in  each  concrete  state  fj  exactly  match  the 
predicate  values  given  by  the  abstract  state  s(  j)  for  0  <  ./  <  /. 
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In  [63],  the  elimination  of  spurious  prefixes  is  done  by  adding  a  bit-level  pred¬ 
icate.  This  predicate  is  called  a  separating  predicate  and  is  computed  by  using 
a  SAT  based  conflict  dependency  analysis.  In  contrast,  we  make  use  of  weakest 
preconditions  as  done  in  software  verification.  We  generate  new  word-level  pred¬ 
icates  from  the  weakest  pre-condition  of  the  given  property  with  respect  to  the 
transition  function  given  by  the  RT-level  circuit. 

Weakest  pre-conditions:  In  software  verification,  the  weakest  pre-condition  wp(st,y) 
of  a  predicate  y  is  usually  defined  with  respect  to  a  statement  st  (e.g.,  an  assign¬ 
ment).  It  is  the  weakest  formula  whose  truth  before  the  execution  of  st  entails 
the  truth  of  y  after  st  terminates.  In  case  of  hardware,  each  state  transition  can  be 
viewed  as  a  statement  where  the  registers  are  assigned  values  according  to  their 
next-state  functions. 

Recall  that  the  set  of  registers  that  have  a  next-state  function  is  denoted  by 
Q,  External  inputs  do  not  appear  in  this  set.  The  next-state  function  for  register 
r,  e  Q  is  given  by  /;-(r).  We  use  /  to  denote  the  vector  of  the  next-state  functions 
for  the  registers  in  Q.  For  any  expression  e,  the  expression  e[x/g\  denotes  the 
simultaneous  substitution  of  each  variable  Xj  in  e  by  an  expression  g,  from  g. 

The  weakest  precondition  of  the  property  y(r)  with  respect  to  one  concrete 
transition  is  defined  as  follows: 

wp\{f,y(r))  ■=  Y (r)  [ r/f ] 

The  weakest  precondition  with  respect  to  i  consecutive  concrete  transitions  is 
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defined  inductively  as  follows: 


wPiif:  y(r))  '■=  wpi(f,  y (r)))  (i  >  1) 

In  order  to  refine  a  spurious  prefix  of  length  /  >  0,  we  compute  wp,-(/,x)  for 
each  1  <  i  <  l,  where  x  is  the  safety  property  we  are  interested  in  checking.  In¬ 
tuitively,  x  holds  after  i  transitions  iff  wpi(  f.  x)  holds  before  i  transitions.  Refine¬ 
ment  corresponds  to  adding  the  Boolean  expressions  occurring  in  each  vvp;-(/,  x) 
to  the  existing  set  of  predicates.  The  refinement  procedure  is  not  guaranteed  to 
make  progress. 

In  case  of  circuits,  the  weakest  pre-condition  is  always  computed  with  respect 
to  the  same  transition  function  /  and  thus,  we  may  omit  it  as  an  argument  in 

wpiif-D- 


Example  25  Let  the  property  be  x  <  200.  Let  the  next  state  functions  for  the 
registers  *  and  y  be  ((jc  <  100)?(x  +  y)  :  x)  and  x,  respectively.  Suppose  we  obtain 
a  spurious  prefix  of  length  1.  The  weakest  pre-condition  is  computed  as  follows: 

vvpi(.r<200)  :=  (((x  <  100)  ?  (.r  +  y)  :  x )  <  200) 

We  add  the  Boolean  conditions  occurring  in  wp\  to  our  set  of  predicates.  Thus, 
we  add  x  <  100  and  ( ( (x  <  100)  ?  (jc  +  y)  :  jc  )  <  200)  as  the  new  predicates. 
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Simplifying  the  Weakest  Pre-conditions 

When  the  spurious  prefix  is  long,  the  weakest  precondition  computation  becomes 
expensive  and  the  predicates  generated  can  become  very  complex  (see  wp\  above). 
This  adversely  affects  the  abstraction  refinement  loop.  In  software  verification, 
this  problem  is  solved  by  computing  the  weakest  precondition  with  respect  to  the 
statements  appearing  in  the  spurious  trace  only.  This  is  not  directly  applicable  to 
a  synchronous  circuit  because  the  statements  occurring  in  the  spurious  trace  cor¬ 
respond  to  the  next  state  functions.  The  next-state  functions  usually  contain  many 
conditional  statements.  Thus,  simply  substituting  the  next-state  functions  as  done 
above  leads  to  a  blowup  in  the  size  of  weakest  pre-conditions. 

Instead,  we  apply  a  syntactic  simplification  to  the  weakest  preconditions  at 
each  step.  The  simplification  uses  data  from  the  abstract  error  trace.  We  exploit 
the  fact  that  many  of  the  control  flow  guards  in  the  Verilog  code  are  also  present 
in  the  current  set  of  predicates.  The  abstract  trace  assigns  truth  values  to  these 
predicates  in  each  abstract  state.  In  order  to  simplify  the  weakest  pre-conditions, 
we  substitute  the  guards  in  the  weakest  pre-conditions  with  their  truth  values.  Fur¬ 
thermore,  we  only  add  the  atomic  Boolean  expressions  occurring  in  the  weakest 
pre-condition  as  the  new  predicates. 

In  order  to  formalize  the  simplification  of  weakest  pre-conditions  we  define 
a  helper  function  simplify  in  Algorithm  5.1.  Let  the  current  set  of  predicates  be 
{tci  , . . . ,  JT/.  }.  simplify  takes  as  input  a  Boolean  formula  g(r)  (written  as  g  for  short) 
and  an  abstract  state  t.  It  replaces  all  the  occurrences  of  (tui,  . . . .  7T/J  in  g  by  their 
truth  values  in  the  state  t. 
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Algorithm  5.1  Simplification  of  a  Boolean  formula  using  the  predicate  valuations 

in  an  abstract  state. _ 

Input:  Boolean  expression  g 

Input:  An  abstract  state  t  assigning  values  to  predicates  {tci  , . . .  ,7Cjt} 

Output:  g  is  simplified  (modified  in-place) 

1:  for  all  operands  h  in  g  do 

2:  simplify  (h.t)  (recursive  simplification} 

3:  end  for 

4:  Remove  constant  conditionals  from  g  (E.g.,  replace  (0?.r  :  y)  by  y} 

5:  if  3tc j.(nj  =  #)  (syntactic  equality  of  expressions}  then 
6:  g4=  tj  (replace  g  by  value  of  n j  in  t} 

7:  end  if 


Example  26  Suppose  our  current  set  of  predicates  is  (x  <  2,x  <  1}.  Let  t  be  an 
abstract  state  in  which  x  <  2  is  true  and  x  <  1  is  true.  Let  g(x,y)  be  the  formula 
(((jc  <  1)  ?  (jt  +  y)  :  x  )  <  2).  After  calling  simplify  with  g  and  t  as  arguments 
g  becomes: 

((true?  (x  +  y)  :  x  )  <  2)  =  jc  +  y<2 

Let  h(x,y )  be  the  formula  x  <  3.  After  calling  simplify  with  h  and  t  as  arguments 
h  remains  equal  to  x  <  3. 

Simplified  weakest  pre-conditions  Let  the  spurious  prefix  be  t  (0) , . . . ,  t  (l)  with 
l  >  1  and  the  property  be  y.  The  weakest  precondition  wpi  is  a  formula  that  should 
hold  before  i  concrete  transitions  for  y  to  hold  after  i  transitions.  That  is,  y  holds 
after  /  transitions  starting  from  the  initial  state  iff  wp\  holds  in  the  initial  state. 
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Spurious  prefix  of  length  / 


swpiiy)  swpi- i(y)  swptiy)  swp i(y)  y 


Backward  weakest  precondition  computation 

Figure  5.5:  Simplified  weakest  precondition  computation  for  a  spurious  prefix. 


As  motivated  earlier  we  want  to  simplify  wpt  using  the  predicate  values  from 
the  spurious  prefix.  We  denote  the  simplified  weakest  precondition  (swp)  for  i 
steps  by  swpj.  The  abstract  state  t(l  —  i )  provides  the  truth  values  of  the  predicates 
just  before  the  i  transitions  leading  to  the  end  of  spurious  prefix.  Thus,  swpt( y) 
is  simplified  using  the  predicate  values  from  the  abstract  state  t(l  —  i).  Fig.  5.5 
shows  the  correspondence  between  abstract  states  and  swpi.  Formally,  swpi  is 
defined  as  follows  (wp\  was  defined  earlier  and  l  is  the  length  of  spurious  prefix): 

swp\  (y)  :=  simplify (wp\ (y),  t(l-\)) 

swpi( y)  :=  simplify{wpi(swpi-i(y)),  t (/-/))  (l<i'<0 

The  new  set  of  predicates  for  refinement  is  obtained  from  swp  i , . . . ,  swpi.  This 
is  done  by  taking  only  the  atomic  predicates  occurring  in  the  simplified  weakest 
pre-condition. 

The  predicates  in  the  simplified  weakest  precondition  of  the  given  property  are 
not  always  sufficient  to  ensure  that  the  spurious  prefix  is  eliminated  from  the  ab¬ 
stract  model.  We  identify  a  subset  of  the  existing  predicates  such  that  computing 
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the  weakest  pre-condition  of  these  predicates  is  likely  to  remove  the  spurious  pre¬ 
fix.  As  in  [94],  this  is  done  by  examining  the  unsatisfiable  core  of  the  SAT  instance 
used  for  simulating  the  prefix.  This  approach  identifies  a  subset  of  the  existing 
predicates  that  is  responsible  for  the  spurious  behavior.  If  a  copy  of  predicate  p  in 
cycle  k  appears  in  the  unsatisfiable  core,  we  compute  the  weakest  precondition  of 
p  for  k  steps  (k  <  /).  In  addition  we  compute  the  weakest  precondition  for  each 
predicate  used  during  the  simplification  (Algorithm  5.1,  Line  5). 

5.6  Experimental  Results 

The  experiments  are  performed  on  a  1.86  GHz  Intel  Xeon  (R)  machine  with  4  GB 
of  memory  running  Linux.  The  techniques  described  in  this  chapter  have  been 
implemented  in  a  tool  called  VCEGAR  [23].  Our  implementation  is  available  for 
experimentation  by  other  researchers.  We  use  the  MiniSat  (version  1.14)  SAT 
solver  [8]  as  our  decision  procedure.  The  abstractions  are  model  checked  using  a 
publicly  available  version  of  the  Cadence  SMV  model  checker  [3].  We  perform 
two  sets  of  experiments: 

1 .  We  compare  the  performance  of  VCEGAR  with  the  performance  of  k-induction 
[130]  and  interpolation  [112]  verification  techniques  implemented  in  EBMC 
[5].  The  implementation  of  interpolation  in  EBMC  uses  the  ideas  from 
[112,  131]  but  does  not  incorporate  the  optimizations  described  in  [112]3. 
The  results  are  reported  in  Section  5.6.1. 

3The  publically  available  version  of  Cadence  SMV  does  not  include  the  interpolation  options. 
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2.  We  compare  three  different  predicate  clustering  algorithms:  syntactic  cone 
clustering,  clustering  for  lazy  abstraction  described  in  Section  5.4,  and  se¬ 
mantic  predicate  clustering  (Section  5.5.1).  These  results  are  reported  in 
Section  5.6.2. 

In  all  our  experiments  we  compute  the  initial  abstraction  using  the  atomic  pred¬ 
icates  appearing  in  the  property.  The  remaining  predicates  are  discovered  auto¬ 
matically  using  refinement. 

5.6.1  Comparison  with  Other  Verification  Techniques 

The  results  are  summarized  in  Table  5.6.1.  The  column  “Latches”  contains  the 
total  number  of  latches  in  the  design.  The  columns  marked  with  “Predicate  Ab¬ 
straction”  contain  the  results  of  applying  the  techniques  discussed  in  this  chapter. 
The  “Time”,  “Abs”,  “MC”,  and  “Ref”  columns  contain  the  total  time,  followed 
by  the  time  taken  by  abstraction,  model  checking,  and  refinement  including  sim¬ 
ulation.  The  time  spent  before  the  start  of  the  CEGAR  loop  is  given  by  Time- 
(Abs+MC+Ref).  We  use  lazy  abstraction  and  rely  on  refinement  to  do  most  of  the 
work  in  these  benchmarks.  The  “P”  column  contains  the  final  number  of  pred¬ 
icates.  The  “I”  column  gives  two  numbers  separated  by  a  slash:  1)  Number  of 
refinement  steps  in  which  spurious  transitions  are  removed,  and  2)  number  of  re¬ 
finement  steps  in  which  new  predicates  are  added.  The  sum  of  these  two  numbers 
is  the  total  number  of  refinement  iterations. 

The  results  of  running  EBMC  with  k-induction  options  are  given  in  the  “EBMC- 
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Bench¬ 

mark 

Latches 

Predicate  Abstraction 

EBMC-K 

Time 

EBMC-I 

Time 

Time 

Abs 

MC 

Ref 

P 

I 

USB1 

545 

42 

1 

2 

29 

17 

62/0 

0.60(1) 

2  (1/5) 

USB2 

545 

599 

47 

147 

386 

116 

146/22 

43  (14) 

30  (14/20) 

USB3 

545 

446 

46 

73 

317 

114 

123/20 

-(80) 

14(4/18) 

ETHO 

359 

44 

2 

3 

30 

21 

55/0 

-(74) 

1213  (19/55) 

ETH1 

359 

127 

8 

8 

102 

93 

49/2 

-(87) 

3905  (36/87) 

ETH2 

359 

161 

8 

16 

127 

94 

109/2 

-(83) 

- 

ETH3 

359 

204 

8 

20 

166 

96 

123/2 

-(76) 

- 

ETH4 

359 

15 

0 

0 

5 

4 

9/0 

-  (146) 

6(4/11) 

ETH5 

359 

104 

8 

6 

79 

94 

54/2 

-(82) 

- 

ETH6 

359 

161 

4 

7 

140 

63 

71/5 

-(83) 

- 

ETH7 

359 

497 

6 

206 

275 

77 

86/5 

-(86) 

939  (32/67) 

ETH8 

359 

230 

6 

33 

181 

78 

47/4 

-(86) 

733  (29/68) 

ETH9 

359 

222 

7 

15 

190 

84 

71/5 

-(85) 

1305  (30/78) 

ETH10 

359 

123 

8 

6 

99 

94 

46/1 

-(82) 

- 

ETH11 

359 

11 

0 

0 

1 

2 

2/0 

KD 

1  (4/3) 

M2  KB 

16427 

5 

0 

0 

5 

3 

2/0 

4.2(1) 

18  (1/2) 

M8KB 

65694 

28 

0 

0 

28 

3 

2/0 

38.4(1) 

293  (1/2) 

Ml  6KB 

131117 

34 

0 

0 

34 

3 

2/0 

44(1) 

308  (1/2) 

N2KB 

16427 

93 

0 

0 

93 

11 

9/0 

39(1) 

452  (1/2) 

N8KB 

65694 

490 

0 

0 

490 

11 

9/0 

550(1) 

- 

N16KB 

131117 

790 

0 

0 

789 

11 

9/0 

679  (1) 

- 

AR2  00 

400 

1 

0 

0 

1 

3 

3/2 

0.1  (2) 

0.6  (2/8) 

AR3000 

6000 

12 

0 

0 

12 

3 

3/2 

1.1  (2) 

20  (2/10) 

AR4000 

8000 

17 

0 

0 

16 

3 

3/2 

1.5  (2) 

28  (2/10) 

Table  5.1:  Experimental  results:  All  runtimes  are  in  seconds  (rounded  to  nearest 
integer).  A  dash  indicates  a  timeout  of  2  hours. 


K”  column.  We  report  the  total  runtime  followed  by  the  k-induction  bound  at 
which  the  property  is  (dis)proved  or  a  timeout  is  reached.  The  “EBMC-I”  col¬ 
umn  gives  the  runtimes  of  EBMC  with  the  interpolation  options  followed  by 
(a)  the  BMC  bound  at  which  the  property  is  (dis)proved  and  (b)  the  total  num¬ 
ber  of  number  of  iterations  (see  FiniteRun  procedure  in  [112]).  The  interpola¬ 
tion  options  given  to  EBMC  are  — interpolation  — stop-minimize 
—  stop-induction  and  optionally  — no-netlist  is  provided  if  it  im- 
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Figure  5.6:  State  machine  for  the  DMA  in  the  USB  2  .0  Function  core. 

proves  the  runtime. 

Benchmarks:  The  USB  benchmark  was  used  for  experimental  evaluation  of  the 
EverLost  tool  [72].  It  is  derived  from  a  USB  2.0  Function  core  [12]  and  contains 
approximately  4000  lines  of  RTL  Verilog.  We  checked  three  properties.  The 
first  property  USB1  checks  that  the  implementation  of  the  internal  DMA  module 
simulates  the  state  transition  diagram  shown  in  Fig.  5.6.  The  property  holds  and 
all  the  predicates  required  for  the  proof  are  present  in  the  property  itself.  The 
second  property  USB2  encodes  the  following:  if  the  abort  signal  is  true  in  any 
state  of  Fig.  5.6,  then  the  next  state  will  be  IDLE.  This  property  does  not  hold 
because  the  transition  from  the  MENLWR2  state  to  the  IDLE  state  is  not  guaranteed 
by  the  abort  signal.  The  third  property  USB3  excludes  the  state  MEM_WR2  from 
the  USB2  property.  This  property  holds  on  the  design.  The  properties  USB2 
and  USB3  contain  three  and  four  atomic  predicates,  respectively.  The  remaining 
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Figure  5.7:  State  machine  for  the  Transmit  module  in  the  Ethernet  MAC. 

predicates  are  discovered  through  refinement. 

The  ETH  benchmark  was  also  used  in  [72].  It  is  the  design  of  a  10/100 
Mbps  Ethernet  MAC  [12]  and  contains  approximately  5000  lines  of  RTL  Ver- 
ilog.  The  transmit  module  of  the  design  contains  a  state  machine  with  ten  states 
(see  Fig.  5.7).  The  property  ETH0  checks  that  the  implementation  obeys  the  state 
machine  description  given  in  Fig.  5.7.  All  the  predicates  required  for  proving  the 
property  are  present  in  the  property  itself.  The  property  ETH1  checks  the  outgo¬ 
ing  transitions  from  the  state  Backoff.  The  property  ETH2  checks  the  outgoing 
transitions  from  the  state  Jam.  The  properties  ETH3  to  ETH11  are  similar  and 
check  the  outgoing  transitions  from  the  remaining  states.  All  properties  ETH1  to 
ETH1 1  hold  on  the  design.  When  checking  the  properties  ETH1  to  ETH1 1  most 
of  the  predicates  are  discovered  through  refinement. 

The  ICRAM  benchmark  is  taken  from  the  Instruction  Cache  RAM  unit  of  the 
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Sun  PicoJava  II  microprocessor  [20].  It  maintains  a  RAM  of  size  16KB  (orga¬ 
nized  as  2048  entries  of  64  bits  each).  If  the  writing  signal  wenO  is  enabled  the 
value  of  data  input  (din)  is  written  to  the  lower  32  bits  of  the  location  addressed 
by  the  input  address  (addr).  Otherwise,  if  the  writing  signal  wenl  is  enabled,  the 
value  din  is  written  to  the  higher  32  bits  of  the  location  addressed  by  addr.  This 
functionality  of  the  ICRAM  is  encoded  in  form  of  eight  safety  properties  using 
the  current-state  and  next-state  of  the  variables.  We  use  P  .  x  to  denote  the  value 
of  a  register  or  input  x  in  the  previous  state.  Each  property  compares  eight  bits  in 
P  .  din  and  corresponding  bits  in  ICRAM.  A  sample  property  is  given  below: 

P  .  wenO^  (ram  [  (P  .  addr,  3,b00l}]=P.din[23:16]  ) 

The  above  property  depends  on  the  contents  of  the  RAM.  We  verified  the 
above  property  by  varying  the  size  of  RAM  from  2KB  to  16KB.  These  bench¬ 
marks  start  with  a  prefix  “M”  in  Table  5.6.1.  We  also  combined  all  the  eight 
properties  for  the  ICRAM  benchmark  into  a  single  property.  These  benchmarks 
start  with  a  prefix  “N”  in  Table  5.6.1.  For  both  “M”  and  “N”  benchmarks  the 
property  is  proved  using  only  the  predicates  occurring  in  the  property.  No  new 
predicates  are  discovered. 

The  benchmarks  with  names  starting  with  “AR”  perform  arithmetic  operations 
on  two  registers  x  and  y  as  shown  in  Fig.  5.3.  We  verify  the  invariant  x  <  200.  In 
the  ARz  benchmark  the  size  of  both  x,y  is  i  and  total  number  of  latches  is  2  x  i. 
As  described  in  the  previous  section,  this  property  is  proved  using  the  predicates 
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x  <  200,  x  <  100, x+y  <  200.  The  predicate  x  <  200  is  obtained  from  the  property 
and  the  predicates  x  <  100,  x  +  y  <  200  are  discovered  using  refinement. 

VCEGAR  is  able  to  solve  all  benchmarks  reported  in  Table  5.6.1,  while  EBMC- 
K  and  EBMC-I  timeout  on  12,  7  problems,  respectively.  Due  to  the  use  of  lazy 
abstraction  in  VCEGAR  the  refinement  step  (simulation  of  abstract  transitions/- 
counterexamples)  takes  more  than  50%  of  the  runtime. 

When  using  predicate  abstraction,  the  size  of  the  abstract  model  can  remain 
constant  even  when  the  number  of  latches  is  increased.  This  is  because  for  certain 
properties,  the  number  of  word-level  predicates  needed  for  the  proof  does  not 
grow  as  the  width  of  the  registers  is  increased.  This  trend  is  visible  in  the  M*, 
N*,  and  AR*  benchmarks.  Thus,  the  model  checking  (MC)  time  is  similar  across 
these  benchmarks. 

5.6.2  Comparing  Predicate  Clustering  Techniques 

We  report  the  performance  of  the  CEGAR  loop  using  three  different  predicate 
clustering  techniques  described  in  Section  5.4  and  Section  5.5.1.  The  benchmark 
characteristics  are  given  in  Table  5.2.  We  report  the  number  of  lines  of  code, 
the  total  number  of  latches,  the  total  number  of  Verilog  combinational  elements 
and  inputs  (“CE+I”  column),  and  the  total  number  of  properties  checked  for  each 
benchmark.  The  benchmarks  USB  2.0  and  Ethernet  MAC  were  described  in  the 
previous  section.  Other  benchmarks  are  taken  from  the  Texas97  and  VIS  [139] 
benchmark  suites. 

The  results  are  summarized  in  Table  5.3.  The  columns  labeled  with  “Cone” 
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Benchmark 

Lines 

Latches 

CE+I 

Properties 

mpeg 

1215 

599 

234 

2 

SDLX 

898 

41 

40 

1 

Miim 

841 

83 

173 

1 

ethernet  (enet) 

610 

91 

156 

2 

itc99-bl2  (bl2 ) 

558 

151 

723 

1 

usb-phy  (uphy) 

1054 

44 

25 

1 

USB  2.0  (USB) 

4000 

545 

1686 

3 

Ethernet  MAC  (ETH) 

5000 

359 

2363 

3 

Table  5.2:  Benchmark  characteristics 

contain  the  results  of  using  syntactic  cone  clustering  in  the  CEGAR  loop.  The  per¬ 
formance  of  the  CEGAR  loop  when  using  clustering  for  lazy  abstraction  is  sum¬ 
marized  in  the  columns  labeled  with  “Lazy”.  The  “Semantic”  column  presents 
the  results  of  using  semantic  predicate  clustering  (Section  5.5.1). 

For  each  predicate  clustering  technique,  the  “Total”,  “Abs”,  “MC”,  and  “Ref” 
columns  contain  the  total  verification  time,  followed  by  the  time  taken  by  abstrac¬ 
tion,  model  checking,  and  refinement  including  simulation.  The  “Preds”  column 
contains  two  numbers  separated  by  a  slash:  1)  The  total  number  of  predicates  in 
the  last  iteration  of  the  CEGAR  loop.  This  includes  only  the  current-state  pred¬ 
icates.  2)  The  maximum  number  of  predicates  present  in  any  predicate  cluster 
generated  by  the  predicate  clustering  technique.  The  number  of  refinement  iter¬ 
ations  is  reported  in  the  “I”  column.  The  “Res”  column  contains  T  (true)  if  the 
property  holds,  else  it  contains  F  (false),  followed  by  the  length  of  the  counterex¬ 
ample.  In  these  benchmarks  (expect  USB1,  ETHO)  most  of  the  predicates  are 
discovered  automatically  during  refinement  phase.  Below,  we  compare  the  three 
instantiations  of  the  CEGAR  loop,  which  are  “Cone”,  “Lazy”,  and  “Semantic”. 
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“Cone”  versus  “Lazy”:  The  “Lazy”  technique  is  able  to  handle  all  bench¬ 
marks  within  the  timeout,  and  thus,  it  is  more  robust  than  the  “Cone”  technique 
(which  timeouts  on  five  problems).  When  using  the  “Cone”  technique,  the  SAT- 
based  abstraction  becomes  the  bottleneck.  Model  checking  of  abstract  models 
also  becomes  expensive  (see  Miim  row).  This  happens  because  the  abstract  mod¬ 
els  created  in  the  “Cone”  technique  are  more  detailed  and  thus  harder.  However, 
the  properties  can  usually  be  checked  using  coarse  (less  precise)  abstractions  cre¬ 
ated  by  the  “Lazy”  technique. 

“Semantic”  versus  “Lazy”:  In  the  “Semantic”  technique  (Section  5.5.1),  new 
predicate  clusters  are  generated  as  follows:  When  a  spurious  transition  is  found, 
we  identify  a  set  of  predicates  responsible  for  spurious  behavior.  These  predicates 
are  treated  as  a  new  predicate  cluster.  In  our  experiments  this  cluster  is  used  during 
abstraction  computation  only  if  it  has  <  6  predicates.  In  addition,  we  use  the  same 
predicate  clusters  as  for  the  “Lazy”  technique. 

The  “Semantic”  technique  consistently  requires  fewer  refinement  iterations 
than  the  “Lazy”  technique.  This  shows  that  computing  all  possible  abstract  tran¬ 
sitions  for  the  predicates  responsible  for  a  spurious  transition  also  rules  out  other 
spurious  transitions.  The  runtime  of  both  techniques  is  comparable. 

The  abstraction  computation  or  abstraction  model  checking  can  become  a  bot¬ 
tleneck  when  using  the  “Cone”  technique,  while  a  large  number  of  refinement 
iterations  can  hurt  the  performance  when  using  the  “Lazy”  technique.  The  “Se¬ 
mantic”  technique  tries  to  balance  the  bottlenecks  of  both  “Cone”  and  “Lazy” 
techniques,  and  thus,  seems  to  be  the  most  scalable. 
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5.7  Chapter  Summary 


We  apply  the  idea  of  predicate  abstraction  from  software  verification  to  verify 
hardware  designs  at  a  higher  level  of  abstraction.  We  show  how  to  reduce  the 
abstraction  computation  overhead  in  presence  of  a  large  number  of  predicates. 
This  is  done  by  dividing  the  set  of  predicates  into  clusters  of  related  predicates 
and  the  abstraction  is  computed  separately  for  each  cluster.  In  lazy  abstraction  the 
expensive  task  of  program  abstraction  is  deferred  until  a  spurious  counterexample 
is  found.  We  show  the  benefit  of  lazy  abstraction  in  the  context  of  hardware 
verification. 

We  use  unsatisfiable  cores  in  order  to  eliminate  multiple  spurious  transitions. 
The  spurious  trace  may  also  be  caused  by  insufficient  predicates.  We  use  weakest 
preconditions  to  compute  new  predicates.  Our  experimental  results  show  that  this 
technique  is  effective  in  discovering  new  word-level  predicates  for  refinement. 
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Bench¬ 

mark 

Cone 

Lazy 

Res 

Time 

Abs 

MC 

Ref 

Preds 

I 

Time 

Abs 

MC 

Ref 

Preds 

I 

mpegl 

44 

25 

1 

18 

31/33 

7 

41 

3 

1 

37 

31/22 

24 

T 

mpeg2 

51 

26 

1 

23 

31/32 

9 

47 

4 

1 

43 

30/22 

26 

T 

SDLX 

8 

4 

1 

2 

32/13 

23 

14 

1 

5 

8 

32/6 

83 

T 

Miim 

170 

49 

119 

2 

23/19 

19 

8 

1 

2 

6 

23/4 

55 

T 

enetl 

- 

- 

- 

- 

- 

- 

45 

2 

20 

22 

48/4 

129 

F(6) 

enet2 

38 

6 

5 

27 

37/11 

36 

69 

2 

20 

47 

37/3 

117 

T 

bl2 

310 

181 

69 

57 

50/24 

29 

132 

3 

24 

103 

38/8 

148 

F(14) 

uphy 

13 

1 

3 

8 

42/18 

29 

24 

0 

10 

13 

42/7 

100 

F(36) 

USB1 

12 

1 

0 

0 

17/17 

0 

42 

1 

2 

29 

17/8 

62 

T 

USB2 

- 

- 

- 

- 

- 

- 

599 

47 

147 

386 

116/15 

168 

F(14) 

USB3 

- 

- 

- 

- 

- 

- 

446 

46 

73 

317 

114/15 

143 

T 

ETHO 

49 

15 

4 

19 

21/11 

31 

44 

2 

3 

30 

21/0 

55 

T 

ETH1 

- 

- 

- 

- 

- 

- 

127 

8 

8 

102 

93/0 

51 

T 

ETH2 

- 

- 

- 

- 

- 

- 

161 

8 

16 

127 

94/0 

111 

T 

Bench¬ 

mark 

Semantic 

Time 

Abs 

MC 

Ref 

Preds 

I 

mpegl 

46 

10 

1 

35 

30/22 

22 

mpeg2 

54 

11 

1 

43 

31/22 

24 

SDLX 

13 

3 

3 

6 

32/6 

64 

Miim 

8 

2 

1 

4 

23/6 

40 

enetl 

45 

6 

17 

21 

48/6 

121 

enet2 

66 

6 

19 

41 

37/6 

99 

bl2 

131 

17 

13 

98 

48/8 

94 

uphy 

23 

1 

10 

11 

42/7 

87 

USB1 

51 

19 

1 

20 

17/8 

40 

USB2 

547 

109 

87 

333 

116/15 

139 

USB3 

459 

97 

70 

282 

114/15 

120 

ETHO 

57 

14 

3 

30 

21/6 

53 

ETH1 

177 

48 

13 

107 

93/6 

54 

ETH2 

172 

48 

14 

100 

94/6 

95 

Table  5.3:  Comparing  three  CEGAR  loops  each  employing  a  different  predicate 
clustering  method.  All  times  are  reported  in  seconds  (rounded  to  nearest  integer). 
A  dash  indicates  a  timeout  of  2  hours 
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Chapter  6 


Interpolation  for  Subsets  of  Integer 
Linear  Arithmetic 


The  use  of  Craig  interpolants  has  enabled  the  development  of  powerful  hardware 
and  software  model  checking  techniques  [112,  89,  99].  Efficient  algorithms  are 
known  for  computing  interpolants  in  rational  and  real  linear  arithmetic.  In  this 
chapter  we  present  efficient  interpolation  algorithms  for  subsets  of  integer  linear 
arithmetic  or  LA(Z). 

Informally,  a  linear  equation  where  all  variables  are  integer  variables  is  said 
to  be  a  linear  diophantine  equation  (LDE).  A  linear  modular  equation  (LME)  or 
a  linear  congruence  over  integer  variables  is  a  type  of  linear  equation  that  ex¬ 
presses  divisibility  relationships.  A  system  of  LDEs  (LMEs)  denotes  a  conjunc¬ 
tion  of  LDEs  (LMEs).  Both  LDEs  and  LMEs  arise  naturally  in  program  verifica¬ 
tion  when  modeling  assignments  and  conditional  statements  as  logical  formulas. 
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These  subsets  of  LA{ Z)  are  also  known  to  be  tractable,  that  is,  polynomial  time 
algorithms  are  known  for  deciding  systems  of  LDEs  and  LMEs.  We  study  the 
interpolation  problem  for  LDEs  and  LMEs.  Our  contributions  are  summarized 
below. 


6.1  Contributions 

Given  formulas  F.  G  such  that  F  A  G  is  unsatisfiable.  An  interpolant  for  the  pair 
(F,  G)  is  a  formula  I(F.  G)  with  the  following  properties:  (i)  F  implies  I(F.  G),  (ii) 
7(F,  G)  A  G  is  unsatisfiable,  and  (iii)  I(F.  G )  refers  only  to  the  common  variables 
of  F  and  G.  This  thesis  presents  the  following  new  results. 

•  Let  F.  G  denote  systems  of  LDEs.  We  show  that  7(F,  G)  can  be  obtained 
in  polynomial  time  by  using  a  proof  of  unsatisfiability  of  F  A  G.  The  inter¬ 
polant  can  be  either  a  LDE  or  a  LME.  This  is  because  in  some  cases  there  is 
no  7(F,  G)  that  is  a  LDE.  In  these  cases,  however,  there  is  always  an  7(F,  G) 
in  the  form  of  a  LME.  (Section  6.4) 

•  Let  F,  G  denote  systems  of  LMEs.  We  obtain  /(F,  G)  in  polynomial  time  by 
using  a  proof  of  unsatisfiability  of  F  A  G.  We  can  ensure  that  7(F,  G)  is  a 
LME.  (Section  6.5) 

•  Let  S  denote  an  unsatisfiable  system  of  LDEs.  The  proof  of  unsatisfiability 
of  S  can  be  obtained  in  polynomial  time  by  using  the  Hermite  Normal  Form 
of  S  (represented  in  matrix  form).  A  system  of  LMEs  R  can  be  reduced  to 
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an  equi-satisfiable  system  of  LDEs  R' .  The  proof  of  unsatisfiability  for  R  is 
easily  obtained  from  the  proof  of  unsatisfiability  of  R' .  (Section  6.6) 

•  Let  S  denote  a  system  of  LDEs.  We  show  that  if  S  has  an  integral  solution, 
then  every  LDE  that  is  implied  by  S,  can  be  obtained  by  a  linear  combination 
of  equations  in  S.  We  show  that  S  is  convex  [120],  that  is,  if  S  implies  a 
disjunction  of  LDEs,  then  it  implies  one  of  the  equations  in  the  disjunction. 
In  contrast,  conjunctions  of  atomic  formulas  in  LA( Z)  are  not  convex  due 
to  inequalities  [120].  These  results  help  in  efficiently  dealing  with  linear 
diophantine  disequations  (LDDs).  (Section  6.7) 

•  Let  S  =  S i  A  52,  where  Si  is  a  system  of  LDEs,  while  S2  is  a  system  of 
LDDs.  We  say  that  S  is  a  system  of  LDEs+LDDs.  We  show  that  S  has 
no  integral  solution  if  and  only  if  Si  A  S2  has  no  rational  solution  or  Si  has 
no  integral  solution.  This  gives  a  polynomial  time  decision  procedure  for 
checking  if  S  has  an  integral  solution.  If  S  has  no  integral  solution,  then  the 
proof  of  unsatisfiability  of  S  can  be  obtained  in  polynomial  time.  (Section 
6.7) 

•  Let  F,  G  denote  systems  of  LDEs+LDDs.  We  show  7(F,  G)  can  be  obtained 
in  polynomial  time.  The  interpolant  can  be  an  LDE,  an  LDD,  or  an  LME. 
(Section  6.7) 

•  We  show  the  utility  of  our  interpolation  algorithms  in  counterexample  guided 
abstraction  refinement  (CEGAR)  based  verification  [56].  Our  interpolation 
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algorithm  is  effective  at  discovering  modular/divisibility  predicates ,  such 
as  3.v  +  y  +  2z  =  1  (mod  4),  from  spurious  counterexamples.  This  has  al¬ 
lowed  us  to  verify  programs  that  cannot  be  verified  by  existing  hardware 
and  software  model  checkers.  (Section  6.8) 

Polynomial  time  algorithms  are  known  for  solving  (deciding)  a  system  of 
LDEs  [129,  44]  and  LMEs  (by  reduction  to  LDEs)  over  integers.  We  do  not 
give  any  new  algorithms  for  solving  a  system  of  LDEs  or  LMEs.  Instead  we  fo¬ 
cus  on  obtaining  proofs  of  unsatisfiability  and  interpolants  for  systems  of  LDEs, 
LMEs,  and  LDEs+LDDs.  We  only  consider  conjunctions  of  LDEs,  LMEs,  and 
LDEs+LDDs.  Interpolants  for  any  (unsatisfiable)  Boolean  combination  of  LDEs 
can  also  be  obtained  by  calling  the  interpolation  algorithm  for  conjunctions  of 
LDEs+LDDs  multiple  times  in  a  satisfiability  modulo  theory  (SMT)  framework 
[54].  However,  computing  interpolants  for  Boolean  combinations  of  LMEs  is  dif¬ 
ficult.  This  is  due  to  linear  modular  disequations  (LMDs).  We  can  show  that  even 
the  decision  problem  for  conjunctions  of  LMDs  is  NP-hard. 

All  proofs  are  present  in  the  appendix  D. 

6.2  Related  Work 

It  is  known  that  Presburger  arithmetic  (PA)  augmented  with  divisibility  predicates 
allows  quantifier  elimination  [125].  Kapur  et  al.  [100]  show  that  a  recursively 
enumerable  theory  allows  quantifier-free  interpolants  if  and  only  if  it  allows  quan¬ 
tifier  elimination.  The  systems  of  LDEs,  LMEs,  LDEs+LDDs  are  subsets  of  PA. 
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Thus,  the  existence  of  quantifier-free  interpolants  for  these  systems  follows  from 
[100].  However,  quantifier  elimination  for  PA  has  an  exponential  complexity  and 
does  not  immediately  yield  efficient  algorithms  for  computing  interpolants.  We 
give  polynomial  time  algorithms  for  computing  proofs  of  unsatisfiability  and  in¬ 
terpolants  for  systems  (conjunctions)  of  LDEs,  LMEs,  LDEs+LDDs. 

Let  Si,S2  denote  conjunctions  of  atomic  formulas  in  ZA( Z).  Suppose  Si  AS2 
is  unsatisfiable.  Pudlak  [126]  shows  how  to  compute  an  interpolant  for  (Si,S2) 
by  using  a  cutting-plane  (CP)  proof  of  unsatisfiability.  The  CP  proof  system  is 
a  sound  and  complete  way  of  proving  unsatisfiability  of  conjunctions  of  atomic 
formulas  in  LA(Z).  However,  a  CP  proof  for  a  formula  can  be  exponential  in  the 
size  of  the  formula.  Pudlak  does  not  provide  any  guarantee  on  the  size  of  CP 
proofs  for  a  system  of  LDEs  or  LMEs.  Our  results  show  that  polynomially  sized 
proofs  of  unsatisfiability  and  interpolants  can  be  obtained  for  systems  of  LDEs, 
LMEs  and  LDEs+LDDs. 

McMillan  [113]  shows  how  to  compute  interpolants  in  the  combined  theory  of 
rational  linear  arithmetic  LA(Q)  and  equality  with  uninterpreted  functions  E  U  ‘J 
by  using  proofs  of  unsatisfiability.  Rybalchenko  and  Sofronie-Stokkermans  [128] 
show  how  to  compute  interpolants  in  combined  LA(Q),  EU^  and  real  linear 
arithmetic  LA(M)  by  using  linear  programming  solvers  in  a  black-box  fashion. 
The  key  idea  in  [128]  is  to  use  an  extension  of  Farkas  lemma  [129]  to  reduce  the 
interpolation  problem  to  constraint  solving  in  ZA(Q)  and  LA(W).  Cimatti  et  al. 
[54]  show  how  to  compute  interpolants  in  a  satisfiability  modulo  theory  (SMT) 
framework  for  LA(Q),  rational  difference  logic  fragment  and  E U ‘J .  By  making 
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use  of  state-of-the-art  SMT  algorithms  [74]  they  obtain  significant  improvements 
over  existing  interpolation  tools  for  LA( Q)  and  ‘EU'J .  Yorsh  and  Musuvathi 
[144]  give  a  Nelson-Oppen  [120]  style  method  for  generating  interpolants  in  a 
combined  theory  by  using  the  interpolation  procedures  for  individual  theories. 
Kroening  and  Weissenbacher  [101]  show  how  a  bit-level  proof  can  be  lifted  to  a 
word-level  proof  of  unsatisfiability  (and  interpolants)  for  equality  logic. 

To  the  best  of  our  knowledge  the  work  in  [1 13,  144,  128,  101,  54]  is  not  com¬ 
plete  for  computing  interpolants  in  LA( Z)  or  its  subsets  such  as  LDEs,  LMEs, 
LDEs+LDDs.  That  is,  the  work  in  [113,  144,  128,  101,  54]  cannot  compute  inter¬ 
polants  for  formulas  that  are  satisfiable  over  rationals  but  unsatisfiable  over  inte¬ 
gers.  Such  formulas  can  arise  in  both  hardware  and  software  verification.  We  give 
sound  and  complete  polynomial  time  algorithms  for  computing  interpolants  for 
conjunctions  of  LDEs,  LMEs,  LDEs+LDDs.  Efficient  interpolation  algorithms 
for  LDEs,  LMEs,  LDEs+LDDs  are  also  crucial  in  order  to  develop  practical  inter¬ 
polating  theorem  provers  for  LA(Z)  and  bit-vector  arithmetic  [68,  38,  32,  81,  107, 
49,  82,  48], 

6.3  Notation  and  Preliminaries 

We  use  capital  letters  A,  7?,  C,X,y,Z, ...  to  denote  matrices  and  formulas.  A  matrix 
M  is  integral  ( rational )  iff  all  elements  of  M  are  integers  (rationals).  For  a  matrix 
M  with  m  rows  and  n  columns  we  say  that  the  size  of  M  is  m  x  n.  A  row  vector 
is  a  matrix  with  a  single  row.  A  column  vector  is  a  matrix  with  a  single  column. 
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We  sometimes  identify  a  matrix  M  of  size  1  x  1  by  its  only  element.  If  A.B 
are  matrices,  then  AB  denotes  matrix  multiplication.  We  assume  that  all  matrix 
operations  are  well  defined.  For  example,  when  we  write  AB  without  specifying 
the  sizes  of  matrices  A,B ,  it  is  assumed  that  the  number  of  columns  in  A  equals 
the  number  of  rows  in  B. 

For  any  rational  numbers  a  and  (1  a|p  if  and  only  if,  a  divides  (1  that  is,  if 
and  only  if  P  =  tax  for  some  integer  X.  We  say  that  a  is  equivalent  to  p  modulo 
y  written  as  a  =  p  (mod  y)  if  and  only  if  y|(a  —  P).  We  say  y  is  the  modulus  of 
the  equation  a  =  p  ( mod  y).  We  allow  a,  P,  y  to  be  rational  numbers.  If  cci , . . . ,  a„ 
are  rational  numbers,  not  all  equal  to  0,  then  the  largest  rational  number  y  dividing 
each  of  a  i , . . . ,  a„  exists  [129],  and  is  called  the  greatest  common  divisor,  or  gcd 
of  0Ci , . . . ,  an  denoted  by  gcd(a\ , . . . ,  a„).  We  assume  that  gcd  is  always  positive. 

Basic  Properties  of  Modular  Arithmetic:  Let  a ,  b ,  c,  d.  m  be  rational  numbers. 

PI.  a  =  a  ( mod  m )  (reflexivity). 

P2.  a  =  b  (mod  m )  implies  b  =  a  (mod  m)  (symmetry). 

P3.  a  =  I)  (mod  m )  and  b  =  c  (mod  m )  imply  a  =  c  (mod  m )  (transitivity). 

P4.  If  a  =  b  (mod  m ),  c  =  d  (mod  m ),  and  x,y  are  integers,  then  ax  +  cy  = 
bx  +  dy  (mod  m )  (integer  linear  combination). 

P5.  If  c  >  0  then  a  =  b  (mod  m )  if,  and  only  if,  ac  =  be  (mod  me). 

P6.  If  a  =  b.  then  a  =  b  (mod  m )  for  any  in. 

Example  27  Observe  that  x  =  0  (mod  1)  for  any  integer  x.  Also  observe  from  P5 
(with  c  —  2)  that  \x  =  0  (mod  1)  if  and  only  if  x  =  0  (mod  2). 
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A  linear  diophantine  equation  (LDE)  is  a  linear  equation  c  \ x  \  + ...  +  cnxn  =  co, 
where  xi,...,xn  are  integer  variables  and  cq,  . . .  ,cn  are  rational  numbers.  A  vari¬ 
able  Xi  is  said  to  occur  in  the  LDE  if  c;  ^  0.  We  denote  a  system  of  m  LDEs  in  a 
matrix  form  as  CX  =  D,  where  C  denotes  an  m  x  n  matrix  of  rationals,  X  denotes 
a  column  vector  of  n  integer  variables  and  D  denotes  a  column  vector  of  m  ratio¬ 
nals.  When  we  write  a  (single)  LDE  in  the  form  CX  —  D,  it  is  implicitly  assumed 
that  the  sizes  of  C, X, D  are  of  the  form  1  x  n.n  x  1,1  x  1 ,  respectively.  A  variable 
is  said  to  occur  in  a  system  of  LDEs  if  it  occurs  in  at  least  one  of  the  LDEs  in  the 
given  system  of  LDEs. 

A  linear  modular  equation  ( LME )  has  the  form  c\X\  + . .  .+cnxn  =  cq  ( mod  /), 
where  xi,...,xn  are  integer  variables,  cq,  . . .  ,c„  are  rational  numbers,  and  /  is  a 
rational  number.  We  call  /  the  modulus  of  the  LME.  Allowing  /  to  be  a  rational 
number  allows  for  simpler  proofs  and  covers  the  case  when  /  is  an  integer.  For 
brevity,  we  write  a  LME  t  =  c  ( mod  I)  by  /  =/  c.  A  variable  x-t  is  said  to  occur  in 
an  LME  if  l  does  not  divide  c,-. 

A  system  of  LDEs  (LMEs)  denotes  conjunctions  of  LDEs(LMEs).  If  F.  G  are 
a  system  of  LDEs  (LMEs),  then  F  A  G  is  also  a  system  of  LDEs  (LMEs). 

6.3.1  Craig  Interpolants 

Given  two  logical  formulas  F  and  G  in  a  theory  T  such  that  LAG  is  unsatisfiable 
in  T,  an  interpolant  l  for  the  ordered  pair  (F.  G)  is  a  formula  such  that 

(1) F  =»/in  <T 

(2)  I  AG  is  unsatisfiable  in  T 
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(3)  I  refers  to  only  the  common  variables  of  A  and  B. 

The  interpolant  I  can  contain  symbols  that  are  interpreted  by  T.  In  this  chapter 
such  symbols  will  be  one  of  the  following:  addition  (+),  equality  (=),  modular 
equality  for  some  rational  number  m  ( =m ),  disequality  (f),  and  multiplication  by 
a  rational  number  (x).  The  exact  set  of  interpreted  symbols  in  the  interpolant 
depends  on  T. 

6.4  System  of  Linear  Diophantine  Equations  (LDEs) 

In  this  section  we  discuss  proofs  of  unsatisfiability  and  interpolation  algorithm 
for  LDEs.  The  following  theorem  from  [129]  gives  a  necessary  and  sufficient 
condition  for  a  system  of  LDEs  to  have  an  integral  solution. 

Theorem  11  (Corollary  4.1(a)  in  Schrijver  [129])  A  system  of  LDEs  CX  —  D 
has  no  integral  solution  for  X,  if  and  only  if  there  exists  a  rational  row  vector  R 
such  that  RC  is  integral  and  RD  is  not  an  integer. 

Definition  15  We  say  a  system  of  LDEs  CX  —  D  is  unsatisfiable  if  it  has  no  inte¬ 
gral  solution  for  X.  For  a  system  of  LDEs  CX  =  D  a  proof  of  unsatisfiability  is 
a  rational  row  vector  R  such  that  RC  is  integral  and  RD  is  not  an  integer. 

In  section  6.6  we  describe  how  a  proof  of  unsatisfiability  R  can  be  obtained  in 
polynomial  time  for  an  unsatisfiable  system  of  LDEs.  (We  show  in  the  appendix 
D.9  that  R  can  be  converted  to  a  polynomially  sized  proof  in  a  cutting-plane  proof 
system  [129,  44].) 
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Example  28  Consider  the  system  of  LDEs  CX  =  D  and  a  proof  of  unsatisfiability 
R : 


110  x  1  R  =  [|,- 

CX  —  D  :=  i_io  y  =  1  RC  =  [0,2, 

022  z  3  RD  =  | 

Example  29  Consider  the  system  of  LDEs  CX  =  D  and  a  proof  of  unsatisfiability 
R: 

R  =  [U 

-  [1,- 

RD  =  I 

The  above  examples  will  be  used  as  running  examples  in  the  chapter. 

Definition  16  (Implication)  A  system  of  LDEs  CX  =  D  implies  a  (single)  LDE 
AX  =  B,  if  every  integral  vector  X  satisfying  CX  =  D  also  satisfies  AX  =  B. 

Similarly,  CX  =  D  implies  a  (single)  LME  AX  =m  B,  if  every  integral  vector 
X  satisfying  CX  =  D  also  satisfies  AX  =m  B. 

Lemma  1  (Linear  combination)  For  every  rational  row  vector  U  the  system  of 
LDEs  CX  =  D  implies  the  LDE  UCX  —  UD.  Note  that  UCX  =  UD  is  simply  a 
linear  combination  of  the  equations  in  CX  =  D.  The  system  CX  =  D  also  implies 
the  LME  UCX  =m  UD  for  any  rational  number  m. 
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Example  30  The  system  of  LDEs  CX  —  D  in  Example  29  implies  the  LDE 
[|,|] CX  =  which  simplifies  to  x—y—z—  The  system  CX  —D  also 

implies  the  LME  x  —  y  —  z  =m  \  for  any  rational  number  m. 

6.4.1  Computing  Interpolants  for  Systems  of  LDEs 

Let  FAG  denote  an  unsatisfiable  system  of  LDEs.  The  following  example  shows 
that  an  unsatisfiable  system  of  LDEs  does  not  always  have  an  LDE  as  an  inter- 
polant. 

Example  31  Let  F  :=  x  —  2y  —  0  and  G  x  —  2z  —  1.  Intuitively,  F  expresses 
the  constraint  that  x  is  even  and  G  expresses  the  constraint  that  x  is  odd,  thus, 
F  A  G  is  unsatisfiable.  We  gave  a  proof  of  unsatisfiability  of  F  A  G  in  Example 
29.  Observe  that  the  pair  (F.  G)  does  not  have  any  quantifier-free  interpolant  that 
is  also  a  LDE.  The  problem  is  that  the  interpolant  can  only  refer  to  the  variable 
x.  We  can  prove  (using  Lemma  6  or  see  Appendix  D.l)  that  there  is  no  formula  I 
of  the  form  c\x  +  C2  =  0,  where  ci,C2  are  rational  numbers,  such  that  F  =>  I  and 
I  AG  is  unsatisfiable. 

As  shown  by  the  above  example  it  is  possible  that  there  exists  no  LDE  that  is  an 
interpolant  for  (F.  G) .  We  show  that  in  this  case  the  system  (F.  G)  always  has 
an  LME  as  an  interpolant.  In  the  above  example  an  interpolant  will  be  x  =2  0. 
Intuitively,  the  interpolant  means  that  x  is  an  even  integer. 

We  now  describe  the  algorithm  for  obtaining  interpolants.  Let  AX  =  A' ,BX  = 
B'  be  systems  of  LDEs,  where  X  =  [x\ , . . . ,  xn]  is  a  column  vector  of  n  integer  vari- 
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ables.  Suppose  the  combined  system  of  LDEs  AX  =  A'  ABX  —  B'  is  unsatisfiable. 
We  want  to  compute  an  interpolant  for  (AX  =  A' .  BX  =  B').  Let  R  =  [R\.  R2]  be  a 
proof  of  unsatisfiability  of  AX  —  A'  ABX  —  B'  according  to  definition  15.  Then 

R1A+R2B  is  integral  and  R\A'  +  R2B1  is  not  an  integer. 

Recall  that  a  variable  is  said  to  occur  in  a  system  of  LDEs  if  it  occurs  with  a 
non-zero  coefficient  in  one  of  the  equations  in  the  system  of  LDEs.  Let  Vab  Q  X 
denote  the  set  of  variables  that  occur  in  both  AX  —  A '  and  BX  =  B',  let  Va\b  Q  X 
denote  the  set  of  variables  occurring  only  in  AX  —  A '  (and  not  in  BX  =  B'),  and 
let  VB  A  C  X  denote  the  set  of  variables  occurring  only  in  BX  =  B'  (and  not  in 
AX=A'). 

We  call  the  LDE  R\AX  =  R\A'  a  partial  interpolant  for  (AX  —  A' .BX  =  B'). 
It  is  a  linear  combination  of  equations  in  AX  =  A'.  The  partial  interpolant  R\AX  = 
R\A'  can  be  written  in  the  following  form 

am+  Y  b‘xi  =  c 

XjAVA\g  xiEVab 

where  all  coefficients  and  c  =  R\A'  are  rational  numbers.  Observe  that 
the  partial  interpolant  does  not  contain  any  variable  that  occurs  only  in  BX  =  B' 
(VB\A). 

Lemma  2  The  coefficient  cij  of  each  Xj  e  Va\b  in  the  partial  interpolant  R\AX  = 
R\A'  (Equation  6.1)  is  an  integer. 
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Lemma  3  The  partial  interpolant  R\AX  =  R\A'  satisfies  the  first  two  conditions 
in  the  definition  of  an  interpolant.  That  is, 

1.  AX  =  A!  implies  R\AX  =  R\A' 

2.  (R\AX  =  R\A')  ABX  =  B'  is  unsatisfiable 

If  at  =  0  for  all  x,  e  VA\B  ( equation  6. 1 ),  then  the  partial  interpolant  only  contains 
the  variables  from  Vab ■  In  this  case  the  partial  interpolant  is  an  interpolant  for 
(AX  =A',BX=B'). 

The  proofs  of  above  lemmas  are  given  in  the  appendix  D.l. 

Example  32  Consider  the  system  of  LDEs  CX  —  D  in  Example  28.  A  proof 
of  unsatisfiability  for  this  system  is  R  =  [j,  —  j,  ^]-  Let  AX  —  A'  be  the  first  two 
equations  in  CX  =  D,  that  is,  x+y  =  1 A x  —  y  =  1  (in  matrix  form).  Let  BX  =  B'  be 
the  third  equation  in  CX  =  D,  that  is,  2y  +  2z  =  3.  Observe  that  VA\B  {x},VA b 

{>’} •  4  :=  {z}.  In  this  case  R\  =  [\,  —  \\-  The  partial  interpolant  for  the  pair 

(AX  =  A' ,BX  =  B')  is  y  —  0,  which  is  also  an  interpolant  because  y  G  VA b- 

The  following  example  shows  that  a  partial  interpolant  need  not  be  an  interpolant. 


Example  33  Consider  the  system  CX  —  D  in  Example  29.  A  proof  of  unsatisfia¬ 
bility  for  this  system  isR  =  [|,  |].  Let  AX  =  A' be  the  first  equation  in  CX  =D,  that 
is,  x  —  2y  —  0.  Let  BX  —  B'  be  the  second  equation  in  CX  =  D ,  that  is,  x  —  2z  —  1 . 
Observe  that  VA\B  :=  {y},VAS  :=  {x} ,  VB\A  :=  {z}.  In  this  case  R\  =  [^\.  Thus, 
the  partial  interpolant  for  the  pair  (AX  =  A1  .BX  —  B ')  is  \x  —  y  =  0.  Observe  that 
the  partial  interpolant  is  not  an  interpolant  as  it  contains  the  variable  y,  which  does 
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not  occur  in  Vab ■  This  is  not  surprising  since  we  have  already  seen  in  Example  31 
that  (x  —  2y  —  0,x  —  2z  —  1)  cannot  have  an  interpolant  that  is  a  LDE. 


We  now  intuitively  describe  how  to  remove  variables  from  the  partial  interpolant 
that  are  not  common  to  AX  =  A'  and  BX  =  B' .  In  example  33  the  partial  inter¬ 
polant  is  \x  —  y  =  0,  where  y  <£  Vab •  We  show  how  to  eliminate  y  from  \x  —  y  —  0 
in  order  to  obtain  an  interpolant.  We  use  modular  arithmetic  in  order  to  eliminate 
y.  Informally,  the  equation  \x  —  y  =  0  implies  \x  —  y  =  0  ( mod  y)  for  any  rational 
number  y.  Let  a  denote  the  greatest  common  divisor  of  the  coefficients  of  vari¬ 
ables  (in  jx  —  y  =  0)  that  do  not  occur  in  Vab ■  In  this  example  a  =  1  (gcd  of  the 
coefficient  of  y).  We  know  \x  —  y  —  0  implies  jx  —  y  =  0  ( mod  1).  Since  y  is  an 
integer  variable  y  =  0  ( mod  1).  We  can  add  ^x  —  y  =  0  (mod  1)  and  y  =  0  (mod  1) 
to  obtain  \x  =  0  (mod  1)  (note  that  y  is  eliminated).  Intuitively,  the  linear  modular 
equation  \x  =  0  (mod  1)  is  an  interpolant  for  (x  —  2y  =  0,  jc  —  2z  —  1).  By  using 
basic  modular  arithmetic  this  interpolant  can  be  written  as  x  =  0  (mod  2). 

We  now  formalize  the  above  intuition  to  address  the  case  when  the  partial 
interpolant  contains  variables  that  are  not  common  to  AX  =  A '  and  BX  =  B' . 


Theorem  12  Assume  that  the  coefficient  a,-  of  at  least  one  xt  G  VA  n  in  the  partial 
interpolant  (Equation  6.1)  is  not  zero.  Let  a  denote  the  gcd  of  {af\Xi  G  VAB}. 

(a)  a  is  an  integer  and  a  >  0. 

(h)  Let  fl  he  any  integer  that  divides  a.  Then  the  following  linear  modular  equation 
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/(->  is  an  interpolant  for  (AX  =  A',BX  =  //). 


/p  :=  bm  =  c  ( mod  (3) 
x, eVAB 

Observe  that  In  contains  only  variables  that  are  common  to  both  AX  —  A'  and 
BX  =  B' .  It  is  obtained  from  the  partied  interpolant  by  dropping  cdl  variables 
occurring  only  in  AX  =A'  (VA\B)  and  replacing  the  linear  equality  by  a  modular 
equality. 

The  proof  can  be  found  in  the  appendix  D.1.2.  In  theorem  12,  I\  is  always 
an  interpolant  for  (AX  =  A' ,BX  =  B').  For  a  >  1  theorem  12  allows  us  to  obtain 
multiple  interpolants  by  choosing  different  (3.  For  any  (3  that  divides  a,  Ia  =>■  7p 
and  /p  I\ .  Depending  upon  the  application  one  can  use  the  strongest  interpolant 
Ia  (least  satisfying  assignments)  or  the  weakest  interpolant  I\  (most  satisfying 
assignments).  The  next  example  illustrates  the  use  of  Theorem  12  in  obtaining 
multiple  interpolants. 

Example  34  Consider  the  system  of  LDEs  CX  =  D  and  a  proof  of  unsatisfiability 
R : 

*  =  [5.5] 

RC  =  [6,1] 

RD  =  I 

Let  AX  —  A'  be  the  first  equation  in  CX  =  D.  that  is,  3(li'  +  4y  =  2  (in  matrix  form). 
Let  BX  —  B'  be  the  second  equation  in  CX  =  D,  that  is,  y  =  2.  Observe  that  VA  B  \— 
{x},Vab  :=  {y},  VB\A  :=  0.  In  this  case  R\  —  [^].  The  partial  interpolant  R\AX  = 
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R\A'  for  the  pair  (AX  =  A' .  BX  =  B')  is  6x  +  5  v  =  i.  The  partial  interpolant  is  not 
an  interpolant  as  it  contains  the  variable  x,  which  does  not  occur  in  Vab- 

Using  Theorem  12  we  can  obtain  four  interpolants  for  the  pair  (AX  —  A'  ,BX  = 

B'): 


4 

h  :=  5'V"‘ 
4 

h  ■=  jJ=2 

4 

h  :=  j.v=3 

,  4 

4  •=  -v=6 


2 

5 

2 

5 

2 

5 

2 

5 


4  implies  all  other  interpolants.  That  is,  /g  ^  I 3 , 4  ^  4,4  =>•  4-  4  is  implied  by 
all  other  interpolants.  That  is,  4  =>•  h , 4  =^4,4^4- 

Lemma  3  and  Theorem  12  give  us  a  sound  and  complete  algorithm  for  computing 
an  interpolant  for  unsatisfiable  systems  of  LDEs.  The  pseudocode  is  given  in 
Algorithm  6.1. 

The  interpolant  produced  by  Algorithm  6.1  depends  on  the  proof  of  unsatisfi¬ 
ability.  There  is  no  guarantee  that  the  generated  interpolant  will  be  a  LDE,  even  if 
there  exists  an  interpolant  for  (AX  —  A' .  BX  =  B')  that  is  a  LDE. 


6.5  System  of  Linear  Modular  Equations  (LMEs) 

In  this  section  we  discuss  proofs  of  unsatisfiability  and  interpolation  algorithm  for 
LMEs.  We  first  consider  a  system  of  LMEs  where  all  equations  have  the  same 
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Algorithm  6.1  Interpolation  for  Linear  Diophantine  Equations 
Input:  Systems  of  LDEs  AX  =  A'  and  BX  =  B\  AX  =  A'  A  BX  =  B'  is  unsatisfi- 
able. 

Output:  Return  an  interpolant  for  (AX  =  A',  BX  =  B ') 

1:  [i?i  ,/?2]  •<=  proof  of  unsatisfiability  of  AX  =  A'  A  BX  =  B' 

{R\A-\- RiB  is  integral  and  R\A'  +R2B'  is  not  an  integer} 

2:  PI  <=  R\AX  =  R\A'  {PI  represents  partial  interpolant} 

3:  PI  can  be  written  as 

a{Xi+  bixi  =  c 

xi£VA\B  X{ EVAb 

{Vab  Q  X  represents  variables  occurring  in  both  AX  =  A' .BX  =  B' .  while 
Va\b  Q  X  represents  variables  occurring  in  only  AX  =  A'} 

4:  if  a i  —  0  for  all  v,  e  Va\b  then 
5:  return  PI  (Interpolant  is  a  LDE} 

6:  else 

7:  a  4=  gcd{cii\xi  E  Va\b}  (oc  is  an  integer} 

8:  Let  p  be  any  integer  that  divides  a.  Let  linear  modular  equation 

7P:=  L  b‘Xi  =P  c 

‘^Vab 

9:  return  7r  (Interpolant  is  a  LME} 

10:  end  if 
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modulus  /,  where  /  is  a  rational  number.  We  denote  this  system  as  CX  =/  D, 
where  C  denotes  an  m  x  n  rational  matrix,  X  denotes  a  column  vector  of  n  integer 
variables  and  D  denotes  a  column  vector  of  m  rational  numbers.  The  next  theorem 
gives  a  necessary  and  sufficient  condition  for  CX  =/  D  to  have  an  integral  solution. 


Theorem  13  The  system  CX  =/  D  has  no  integral  solution  X  if  and  only  if  there 
exists  a  rational  row  vector  R  such  that  RC  is  integral,  IR  is  integral,  and  RD  is 
not  an  integer.  Note  that  IR  denotes  the  row  vector  obtained  by  multiplying  each 
element  ofR  by  rational  number  l.  (The  size  ofR  is  1  x  m.) 

The  proof  uses  reduction  to  LDEs.  See  the  appendix  D.2.1  for  the  proof. 

Definition  17  We  say  a  system  of  LMEs  CX  =/  D  is  unsatisfiable  if  it  has  no 
integral  solution  X.  A  proof  of  unsatisfiability  for  a  system  of  LMEs  CX  =/  D  is 
a  rational  row  vector  R  such  that  RC  is  integral,  IR  is  integral,  and  RD  is  not  an 
integer. 

Example  35  Consider  the  system  of  LMEs  CX  =g  D  and  a  proof  of  unsatisfiabil¬ 
ity  R: 


2 

2 

r  -| 

4 

Q 

oo 

III 

B 

2 

1 

X 

=8 

4 

4 

0 

y 

4 

R 
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IR 
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[-1,0] 


[2, -4,-1] 
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2 
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Intuitively,  CX  =s  D  is  unsatisfiable  because  we  can  take  an  integer  linear  combi¬ 
nation  of  the  given  equations  using  IR  to  get  a  contradiction  0  =8  —12. 

Definition  18  (Implication)  A  system  of  LMEs  CX  =/  D  implies  a  LME  AX  =/  B, 
if  every  integral  vector  X  satisfying  CX  =/  D  also  satisfies  AX  =j  B. 

Lemma  4  For  every  integral  row  vector  U  the  system  of  LMEs  CX  =/  D  imply 
UCX  =i  UD. 


6.5.1  Computing  Interpolants  for  Systems  of  LMEs 

Let  AX  =/  A'  and  BX  =j  B'  be  two  systems  of  LMEs  such  that  AX  =/ A'  ABX  =/  B1 
is  unsatisfiable.  We  show  that  (AX  =/  A' ,BX  =/  B')  always  has  an  LME  as 
an  interpolant.  Let  R  —  [/?i,/?2]  denote  a  proof  of  unsatisfiability  for  the  system 
AX  =i  A'  ABX  =i  B'  such  that  R\A-\-RoB  is  integral,  IR  =  [IR^fiRf  is  integral, 
and  R\A'  -\-RoB'  is  not  an  integer.  The  following  theorem  shows  that  we  can  take 
integer  linear  combinations  of  equations  in  AX  =/  A'  to  obtain  interpolants. 

Theorem  14  We  assume  l  f  0.  Let  S)  denote  the  set  of  non-zero  coefficients  of 
Xi  G  Va\b  in  R\AX.  Let  S7  denote  the  set  of  non-zero  elements  of  row  vector  IR\. 
If  So  =  0,  then  the  interpolant  for  (AX  =/  A'  ,BX  =/  B')  is  a  trivial  LME  0  =/  0. 
Otherwise,  let  So  f  0.  Let  a  denote  the  gcd  of  numbers  in  S|  U  So.  (a)  a  is  an 
integer  and  a  >  0. 

(b)  Let  p  be  any  integer  that  divides  a.  Let  U  =  Then  UAX  =/  UA'  is  an 
interpolant  for  (AX  =/  A' .  BX  =/  if). 
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The  proof  is  given  in  the  appendix  D.2.2. 


Example  36  Consider  the  system  of  LMEs  CX  =/  D  in  Example  35.  Let  AX  =/  A' 
denote  the  first  two  equations  in  CX  =/  D  and  BX  =/  B'  denote  the  last  equation 
in  CX  =1  D.  Observe  that  VA\B  :=  {y},VAB  {-*},  Vb\a  '=  ©•  A  proof  of  unsat¬ 
isfiability  for  CX  =i  D  is  R  =  [\,  —  |].  We  have  R\  =  [\,  IR\  =  [2,  —4], 

R\AX  is  —\x,  5i  =  0,  52  =  {2,  —4},  a  =  2.  We  can  take  [3  =  1  or  [3  =  2  to  obtain 
two  valid  interpolants.  For  (3  =  1 ,  U  —  [2,-4]  and  the  interpolant  IJ XX  =/  IJX 
is  —4.x  =8  —8  (equivalently  v  =2  0).  For  [3  =  2 ,  U  =  [1,-2]  and  the  interpolant 
UAX  =1  UA'  is  —  2.x  =8  —4  (equivalently  *  =4  2). 

6.5.2  Handling  LMEs  with  Different  Moduli 

Consider  a  system  F  of  LMEs,  where  equations  in  F  can  have  different  moduli. 
In  order  to  check  the  satisfiability  of  F,  we  obtain  another  equivalent  system  of 
equations  F'  such  that  each  equation  in  F'  has  the  same  modulus.  This  is  done 
using  a  standard  trick  described  in  Mathews  [109].  Let  mi, . .  represent  the 
different  moduli  occurring  in  equations  in  F.  Let  m  denote  the  least  common 
multiple  of  mi, . . .  ,m^.  We  multiply  each  equation  t  =mj  c  in  F  by  ^  to  obtain 
another  equation  ^-t  =m  ^-c.  Let  F'  represent  the  set  of  new  equations.  All 
equations  in  F'  have  same  modulus  m.  Using  basic  modular  arithmetic  one  can 
show  that  F  and  F'  are  equivalent.  Suppose  F  is  unsatisfiable.  Then  the  inter¬ 
polants  for  any  partition  of  F  can  be  computed  by  working  with  F'  and  using  the 
techniques  described  in  the  previous  section.  For  example,  let  F  represent  the 
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following  system  of  LMEs  x  =2  1  A  .r  +  y  =4  2  A  2.v  +  y  =8  4.  One  can  work  with 
F'  :=  Ax  =8  4  A  2x  +  2 y  =8  4  A  2x  +  y  =8  4  instead  of  F. 


6.6  Algorithms  for  Obtaining  Proofs  of  Unsatisfia¬ 
bility 

Polynomial  time  algorithms  are  known  for  determining  if  a  system  of  LDEs  CX  = 
D  has  an  integral  solution  or  not  [  1 29] .  We  review  one  such  algorithm  that  is  based 
on  the  computation  of  the  Hermite  normal  form  (HNF)  of  the  matrix  C. 

Using  standard  Gaussian  elimination  it  can  be  determined  if  CX  =  D  has  a 
rational  solution  or  not.  If  CX  —  D  has  no  rational  solution,  then  it  cannot  have 
any  integral  solution.  In  the  discussion  below  we  assume  that  CX  —  D  has  a 
rational  solution.  Without  loss  of  generality  we  assume  that  matrix  C  has  full  row 
rank ,  that  is,  all  rows  of  C  are  linearly  independent  (linearly  dependent  equations 
can  be  removed). 

The  HNF  of  a  m  x  n  matrix  C  with  full  row  rank  is  of  the  form  \E  0]  where 
0  represents  an  m  x  (n  —  m)  matrix  filled  with  zeros  and  E  is  a  square  m  x  m 
matrix  with  the  following  properties:  1)  E  is  lower  triangular  2)  E  is  non-singular 
(invertible)  3)  all  entries  in  E  are  non-negative  and  the  maximum  entry  in  each  row 
lies  on  the  diagonal.  The  HNF  of  a  matrix  can  be  obtained  by  three  elementary 
column  operations.  1)  Exchanging  two  columns.  2)  Multiplying  a  column  by  -1. 
3)  Adding  an  integral  multiple  of  one  column  to  another  column.  Each  column 
operation  can  be  represented  by  a  unimodular  matrix.  A  unimodular  matrix  is 
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a  square  matrix  with  integer  entries  and  determinant  +1  or  -1.  The  product  of 
unimodular  matrices  is  a  unimodular  matrix.  The  inverse  of  a  unimodular  matrix 
is  a  unimodular  matrix.  The  conversion  of  C  to  HNF  can  be  represented  as  follows 
CU  =  [E  0],  where  U  is  a  unimodular  matrix,  the  sizes  of  C,  U  ,E  are  m  x  n.  n  x 
n.m  x  m,  respectively  and  0  represents  an  m  x  (n  —  m )  matrix  filled  with  zeros 
( n  >  m  because  C  has  full  row-rank).  The  following  result  shows  the  use  of  HNF 
in  determining  the  satisfiability  of  a  system  of  LDEs.  Let  E  1  denotes  the  matrix 
inverse  of  E. 


Lemma  5  (Corollary  5.3(b)  in  Schrijver  [129])  For  C.X .D. E  defined  as  above, 
CX  =  D  has  no  integral  solution  if  and  only  if  E  1 D  is  not  integral. 


Example  37  For  the  system  of  LDEs  CX  —  D  in  example  28  we  have  the  follow¬ 
ing: 
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Example  38  Lor  the  system  of  LDEs  CX  —  D  in  example  29  we  have  the  follow- 
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ing: 


u 


6.6.1  Obtaining  a  Proof  of  Unsatisfiability  for  a  System  of  LDEs 

If  a  system  of  LDEs  CX  =  D  is  unsatisfiable,  then  we  want  to  compute  a  row 
vector  R  such  that  RC  is  integral  and  RD  is  not  an  integer.  The  following  corollary 
shows  that  the  proof  of  unsatisfiability  can  be  obtained  by  using  the  HNF  of  C. 

Corollary  14  Given  CX  =  I)  where  C,D  are  rational  matrices,  and  C  has  full 
row  rank.  Let  [E  0]  denote  the  HNF  of  C.  If  CX  —  D  has  no  integral  solution, 
then  E  1 D  is  not  integral.  Suppose  the  ith  entry  in  E  1 D  is  not  an  integer.  Let  R' 
denote  the  ith  row  in  E  '.  Then  (a)  R'D  is  not  an  integer  and  (b)  R'C  is  integral. 
Thus,  R'  serves  as  the  required  proof  of  unsatisfiability  ofCX  =  D. 

The  proof  is  given  in  the  appendix  D.3. 

Example  39  In  example  37  the  third  row  in  E  lD  is  not  an  integer.  Thus,  the 
proof  of  unsatisfiability  of  CX  —  D  is  the  third  row  in  E  1  which  is  [0,0,  j\. 

In  example  38  the  second  row  in  E  XD  is  not  an  integer.  Thus,  the  proof  of 
unsatisfiability  of  CX  =  D  is  the  second  row  in  E  1  which  is  [—  |]. 
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Proofs  of  unsatisfiability  for  LMEs  Let  CX  =1  D  be  a  system  of  LMEs.  Each 
equation  f(-  =/  d,  in  CX  =/  D  can  be  written  as  an  equi-satisfiable  LDE,  tL  +  /  v(-  —  dj, 
where  v,  is  a  new  integer  variable.  In  this  way  we  can  reduce  CX  =/  D  to  an  equi- 
satisfiable  system  of  LDEs  C'Z  =  D.  The  proof  of  unsatisfiability  of  C'Z  =  D  is 
exactly  a  proof  of  unsatisfiability  of  CX  =/  D  (see  the  proof  of  theorem  13). 

Complexity  If  a  system  of  LDEs  or  LMEs  is  unsatisfiable,  then  we  can  obtain 
a  proof  of  unsatisfiability  in  polynomial  time.  This  is  because  HNF  computation, 
matrix  inversion,  and  matrix  multiplication  can  be  done  in  polynomial  time  in 
the  size  of  input  [129,  133].  The  interpolation  algorithms  described  in  Sections 
6.4  and  6.5  are  polynomial  in  the  size  of  the  given  formulas  and  the  proof  of 
unsatisfiability. 

6.7  Handling  Linear  Diophantine  Equations  and  Dis- 
equations 

We  show  how  to  compute  interpolants  in  presence  of  linear  diophantine  disequa- 
tions.  A  linear  diophantine  disequation  (LDD)  is  of  the  form  c\x\  + . . .  +  cnxn  f 
co,  where  co, . . . ,  cn  are  rational  numbers  and  x\ , . . . ,  xn  are  integer  variables.  A 
system  of  LDEs+LDDs  denotes  conjunctions  of  LDEs  and  LDDs.  For  example, 
x  +  2 y=  1  A  v  +  y  f  1  A  2y  +z  f  1  with  x,  y,  z  as  integer  variables  represents  a  sys¬ 
tem  of  LDEs+LDDs.  We  represent  a  conjunction  of  m  LDDs  as  /\/=i  CjX  f  D,. 
where  C,  is  a  rational  row  vector  and  /J,  is  a  rational  number.  The  next  theorem 
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gives  a  necessary  and  sufficient  condition  for  a  system  of  LDEs+LDDs  to  have  an 
integral  solution. 

Theorem  15  Let  F  denote  AX  =  B  A  /\/=i  QX  f  D,.  The  following  are  equiva¬ 
lent: 

1.  F  has  no  integral  solution 

2.  F  has  no  rational  solution  or  AX  —  B  has  no  integral  solution. 

The  proof  of  (2)  =>■  (1)  in  Theorem  15  is  easy.  The  proof  of  (1)  =>-  (2)  is  involved 
and  relies  on  the  following  lemmas  (full  proof  is  given  in  the  appendix  D.6).  The 
first  lemma  shows  that  if  a  system  of  LDEs  AX  =  B  has  an  integral  solution,  then 
every  LDE  that  is  implied  by  AX  =  B ,  can  be  obtained  by  a  linear  combination  of 
equations  in  AX  =  B. 

Lemma  6  A  system  of  LDEs  AX  =  B  implies  a  LDE  EX  =  F  if  and  only  if  AX  =  B 
is  unsatisfiable  or  there  exists  a  rational  vector  R  such  that  E  —  RA  and  F  —  RB. 

We  use  the  properties  of  the  cutting-plane  proof  system  [129,  44]  in  order  to  prove 
lemma  6.  The  proof  is  given  in  the  appendix  D.4.  The  next  lemma  shows  that  if 
a  system  of  LDEs  implies  a  disjunction  of  LDEs,  then  it  implies  one  of  the  LDEs 
in  the  disjunction  (also  called  convexity  [120]). 

Lemma  7  A  system  of  LDEs  AX  —  B  implies  V*=  i  QX  —  D\  if  and  only  if  there 
exists  1  <  k  <  m  such  that  AX  —  B  implies  CfX  =  /J/.. 

We  use  a  theorem  from  [129]  that  gives  a  parametric  description  of  the  integral 
solutions  to  AX  =  B  in  order  to  prove  lemma  7.  See  the  appendix  D.5  for  the 
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full  proof.  Let  F  denote  AX  —BA  f\"L ,  CjX  /  D,.  Using  Theorem  15  we  can 
determine  whether  F  has  an  integral  solution  in  polynomial  time.  This  is  be¬ 
cause  checking  if  AX  =  B  has  an  integral  solution  can  be  done  in  polynomial  time 
[129,  44].  Checking  whether  the  system  F  has  a  rational  solution  can  be  done  in 
polynomial  time  as  well  [120]. 

6.7.1  Interpolants  for  LDEs+LDDs 

We  say  a  system  of  LDEs+LDDs  is  unsatisfiable  if  it  has  no  integral  solution. 
Consider  systems  of  LDEs+LDDs  F  :=  F\  A  7+  and  G  G\  A  G2,  where  F\ ,  G\ 
are  systems  of  LDEs  and  7%  G2  are  systems  of  LDDs.  FAG  represents  another 
system  of  LDEs+LDDs.  Suppose  F  AG  is  unsatisfiable.  The  interpolant  for  (F.  G) 
can  be  computed  by  considering  two  cases  (due  to  theorem  15): 

Case  1:  F  A  G  is  unsatisfiable  because  F\  A  7+  A  G\  A  G2  has  no  rational  solution. 
We  can  compute  an  interpolant  for  (F.  G)  using  the  techniques  described  in  [113, 
128,  54].  The  algorithms  in  [113,  128,  54]  can  result  in  interpolants  containing 
inequalities.  We  describe  an  alternative  algorithm  in  the  appendix  D.7  that  always 
produces  a  LDE  or  a  LDD  as  an  interpolant. 

Case  2:  F  A  G  is  unsatisfiable  because  F\  A  G\  has  no  integral  solution.  In  this 
case  we  can  compute  an  interpolant  for  the  pair  (F\ ,  G\ )  using  the  techniques  from 
Section  6.4.  The  interpolant  for  (Fi,Gj)  will  be  an  interpolant  for  (F.  G).  It  can 
be  a  LDE  or  a  LME. 
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Example 

Preds/Interpolants 

VINT2 

exl 

ex2 

ex4 

ex5 

ex6 

ex7 

forbl 

y  =2  1 
x  +  y  =2  0 
x+y+z =4 0 

x  =4  0,y  =4  0 

4x  +  2 y  +  z  =8  0 

4x  —  2y  +  z  =222  0 
x+y  =3  0 

2.72s 

0.83s 

0.95s 

1.1s 

0.93s 

0.54s 

Table  6.1:  Table  showing  the  predicates  needed  and  time  taken  in  seconds. 

6.8  Experimental  Results 


We  implemented  the  interpolation  algorithms  for  conjunctions  of  LDEs,  LMEs, 
LDDs  in  a  tool  called  INT2  (INTeger  INTerpolate)  .  The  experiments 
are  performed  on  a  1.86  GHz  Intel  Xeon  (R)  machine  with  4  GB  of  memory  run¬ 
ning  Linux.  INT2  is  designed  for  computing  interpolants  for  formulas  (LDEs, 
LMEs,  LDEs+LDDs)  that  are  satisfiable  over  rationals  but  unsatisfiable  over  inte¬ 
gers.  Currently,  there  are  no  other  interpolation  tools  for  such  formulas. 


6.8.1  Use  of  Interpolants  in  Verification 

We  wrote  a  collection  of  small  C  programs  each  containing  a  while  loop  and 
an  ERROR  label.  These  programs  are  safe  (ERROR  is  unreachable).  The  exist¬ 
ing  tools  based  on  predicate  abstraction  and  counterexample  guided  abstraction 
refinement  (CEGAR)  such  as  BLAST  [2,  89],  SATABS  [16]  are  not  able  to  ver¬ 
ify  these  programs.  This  is  because  the  inductive  invariant  required  for  the  proof 
contains  LMEs  as  predicates,  shown  in  the  “Preds/Interpolants”  column  of  Table 
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6.1.  These  predicates  cannot  be  discovered  by  the  interpolation  engine  [113,  128] 
used  in  BLAST  or  by  the  weakest  precondition  based  procedure  used  in  SATABS. 
The  interpolation  algorithms  described  in  this  chapter  are  able  to  find  the  right 
predicates  by  computing  the  interpolants  for  spurious  program  traces.  Only  one 
unwinding  of  the  while  loop  suffices  to  find  the  right  predicates  in  6  out  of  7 
cases.  In  program  ex5  multiple  unwindings  of  the  while  loop  produces  pred¬ 
icates  of  the  form  x  =  0,y  =  4,x  —  4,v  =  8,....  After  a  few  unwindings  these 
predicates  are  generalized  to  obtain  x  =4  0,y  =4  01. 

We  wrote  similar  programs  in  Verilog  and  tried  verifying  them  with  VCEGAR 
[23],  a  CEGAR  based  model  checker  for  Verilog.  VCEGAR  fails  on  these  ex¬ 
amples  due  to  its  use  of  weakest  preconditions.  Next,  we  externally  provided  the 
interpolants  (predicates)  found  by  INT2  to  VCEGAR.  With  the  help  of  these  predi¬ 
cates  VCEGAR  is  able  to  show  the  unreachability  of  ERROR  labels  in  all  examples 
except  forbl  (ERROR  is  reachable  in  the  Verilog  version  of  forbl).  The  runtimes 
are  shown  in  “VINT2”  column. 

Muller-Olm  and  Seidl  [118]  propose  an  abstraction  technique  that  can  infer 
linear  invariants  that  are  sound  with  respect  to  integer  arithmetic  modulo  a  power 
of  2.  Their  work  provides  an  alternative  way  of  verifying  the  programs  listed  in 
Table  6.E 


1  The  generalization  was  done  manually  but  can  be  automated  as  follows:  on  seeing  a  sequence 
of  predicates  t  =  c\,t  =  C2, . . .  add  a  predicate  t  =  0  ( mod  gcd(ci,C2,  •  •  ■))  where  t  is  a  term  and 
ci,C2, . . .  are  constants. 
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6.8.2  Proofs  of  Unsatisfiability  (PoU)  Algorithms 

We  obtained  459  unsatisfiable formulas  (system  of  LDEs)  by  unwinding  the  while 
loops  for  C  programs  mentioned  above.  The  number  of  LDEs  in  these  formulas 
range  from  3  to  1500  with  2  to  4  variables  per  equation.  There  are  two  options  for 
obtaining  PoU  in  INT2. 

(a)  Using  Hermite  Normal  Form  (HNF)  (Section  6.6. 1).  We  use  PARI/GP  [136] 
to  compute  HNF  of  matrices. 

(b)  By  using  a  state-of-the-art  SMT  solver  Yices  1.0.11  [24]  in  a  black-box 
fashion  (along  the  lines  of  [128]).  Given  a  system  of  LDEs  AX  =  B  we 
encode  the  constraints  that  RA  is  integral  and  RB  is  not  an  integer  by  means 
of  mixed  integer  linear  arithmetic  constraints  (see  the  appendix  D.10).  The 
SMT  solver  returns  concrete  values  to  elements  in  R  if  AX  =  B  is  unsatisfi¬ 
able. 

The  comparison  between  (a)  and  (b)  is  shown  in  Figure  6.1.  There  is  a  timeout  of 
1000  seconds  per  problem.  The  HNF  based  algorithm  is  able  to  solve  all  problems, 
while  the  black-box  usage  of  Yices  cannot  solve  102  problems  within  the  timeout. 
Thus,  the  HNF  based  method  is  superior  over  the  black-box  use  of  Yices. 

We  also  ran  Yices  to  decide  whether  AX  =  B  has  an  integral  solution  or  not. 
The  system  AX  —  B  (X  integral)  is  given  to  Yices.  In  this  case,  Yices  is  very  effi¬ 
cient  and  reports  the  satisfiability  or  unsatisfiability  of  AX  =  B  quickly.  However, 
no  PoU  is  provided  when  AX  —  B  is  unsatisfiable.  In  principle  it  is  possible  for 
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Figure  6.1:  Comparing  Hermite  Normal  Form  based  algorithm  and  black-box  use 
of  Yices  for  getting  proofs  of  unsatisfiability 

Yices  to  provide  a  PoU  when  AX  —  B  is  unsatisfiable  (although  this  will  add  some 
overhead). 

Note  that  the  interpolation  algorithms  proposed  in  this  chapter  are  indepen¬ 
dent  of  the  algorithm  used  to  generate  the  PoU.  Any  decision  procedure  that  can 
produce  PoU  according  to  definitions  15,  17  can  be  used  (we  are  not  restricted  to 
using  HNF  or  Yices). 


6.9  Chapter  Summary 

We  presented  polynomial  time  algorithms  for  computing  proofs  of  unsatisfiability 
and  interpolants  for  conjunctions  of  linear  diophantine  equations,  linear  modular 
equations  and  linear  diophantine  disequations.  These  interpolation  algorithms  are 
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useful  for  discovering  modular/divisibility  predicates  from  spurious  counterexam¬ 
ples  in  a  counterexample  guided  abstraction  refinement  framework. 
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Chapter  7 

Epilogue:  Future  Work 


The  domain  of  hardware  and  software  verification  abounds  with  many  challenging 
problems.  In  this  dissertation  I  focused  on  some  of  these  problems  and  presented 
possible  solutions  to  them.  It  is  now  time  to  look  at  the  possible  directions  for 
future  research. 

•  Proof  Generation  from  Non-Clausal  SAT  Solvers:  Modem  SAT  solvers 
provide  a  proof  of  unsatisfiability  for  formulas  that  are  unsatisfiable.  The 
proofs  of  unsatisfiability  are  very  useful  in  various  verification  techniques 
such  as  abstraction-refinement,  proof-based  abstraction,  and  interpolation. 
A  promising  research  direction  is  to  add  proof  generation  capabilities  to  the 
non-clausal  SAT  solvers  discussed  in  this  thesis. 

•  Non-clausal  Learning  Schemes:  Conflict  driven  learning  is  an  important 
part  of  modern  SAT  solvers.  The  learning  schemes  used  in  this  thesis  are 
clausal ,  that  is,  the  learned  facts  are  clauses.  This  introduces  an  asymmetry 
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in  our  SAT  algorithms  because  the  original  formula  is  processed  in  the  non- 
clausal  form,  while  the  learned  clauses  are  processed  in  the  clausal  form. 
Despite  this  asymmetry  the  contribution  of  the  original  non-clausal  formula 
remains  significant  because  most  of  the  conflicts  and  implications  during 
BCP  occur  due  to  the  original  formula.  This  is  partly  due  to  the  fact  that 
a  significant  portion  of  learned  clauses  is  discarded  periodically  in  order  to 
save  memory  and  BCP  time. 

An  interesting  research  direction  is  to  come  up  with  learning  schemes  that 
can  learn  more  complex  formulas  from  conflicts.  Such  non-clausal  learned 
formulas  can  be  added  to  the  vpgraph/hpgraph  directly.  One  way  to  perform 
non-clausal  learning  is  to  combine  learned  clauses  that  share  common  liter¬ 
als  to  produce  new  hpgraph/vpgraph  components.  An  alternative  idea  is  to 
modify  the  DPLL  algorithm  so  that  the  branching  is  allowed  on  4>  and  -4, 
where  (f)  can  be  a  complex  formula.  The  idea  of  introducing  lemmas  of  the 
form  4>  V  — '(]),  where  cf)  can  be  a  complex  formula  has  been  used  in  theorem 
proving  based  on  vertical  path  forms  [123]. 

•  Quantified  Boolean  Formulas  ( QBF)  Solvers:  Many  practical  problems  in 
verification  and  planning  can  be  framed  as  QBF  formulas.  The  Boolean 
satisfiability  (SAT)  problem  can  be  regarded  as  a  restricted  form  of  QBF, 
where  only  existential  quantifiers  are  allowed.  Unlike  SAT  solvers,  the 
QBF  solvers  [149]  can  only  handle  small  instances.  Zhang  et  al.  [147]  re¬ 
port  that  the  use  of  both  CNF  and  DNF  representations  of  a  given  Boolean 
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formula  is  crucial  for  obtaining  efficient  QBF  solvers.  The  graphical  rep¬ 
resentations  hpgraph/vpgraph  encode  the  CNF/DNF  representation  of  NNF 
formulas  compactly  and  can  lead  to  efficient  QBF  solvers.  Recent  work  by 
Lonsing  and  Biere  [105]  also  motivates  the  use  of  NNF  for  QBF  solving. 

•  Word-Level/Satisfiability  Modulo  Theories  (SMT)  Solvers:  The  formulas 
arising  in  various  applications  are  usually  a  Boolean  combination  of  con¬ 
straints.  These  constraints  can  range  over  theories  such  as  difference  logic, 
linear  arithmetic  over  reals/integers,  uninterpreted  functions,  and  so  on.  It  is 
inefficient  to  encode  such  problems  as  bit-level  (propositional)  formulas.  In 
order  to  check  the  satisfiability  of  these  formulas,  SMT  (Satisfiability  Mod¬ 
ulo  Theory)  solvers  [83,  46,  121,  141,  122,  74]  are  emerging  as  a  better  op¬ 
tion.  Most  of  the  existing  SMT  solvers  use  a  CNF  SAT  solver  for  handling 
the  Boolean  structure  of  a  given  formula.  It  will  be  interesting  to  explore  the 
use  of  non-clausal  SAT  solvers  when  reasoning  about  the  Boolean  structure 
in  a  SMT  solver.  See  [134]  for  recent  work  in  this  direction.  More  tighter 
integration  between  various  theory  solvers  and  hpgraph/vpgraph  represen¬ 
tation  is  also  possible. 

•  Bit-vector  Arithmetic  Solvers:  Most  hardware  and  software  verification  tech¬ 
niques  generate  decision  procedure  queries  in  bit- vector  arithmetic  logic. 
The  formulas  in  this  logic  contain  finite  precision  variables  (bit-vectors), 
arithmetic  operations  over  bit-vectors,  and  bit-wise  operations  (such  as  con¬ 
catenation,  extraction,  shifting)  over  bit-vectors.  In  bit-blasting  a  given 
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bit-vector  arithmetic  formula  is  converted  to  an  equi-satisfiable  proposi¬ 
tional  logic  formula.  The  propositional  logic  formula  is  then  checked  for 
satisfiability  using  a  Boolean  satisfiability  (SAT)  solver.  This  is  the  most 
commonly  used  technique  for  deciding  bit- vector  arithmetic  formulas.  This 
technique  is  very  successful  due  to  the  significant  improvements  in  the  ca¬ 
pacity  of  SAT  solvers  over  the  past  decade.  The  main  disadvantage  with 
the  bit-blasting  approach  is  that  the  high-level  structure  present  in  a  word- 
level  bit- vector  formula  gets  lost  at  the  propositional  level.  Reasoning  about 
the  propositional  encodings  of  operators  such  as  multiplication/division  is 
difficult  for  propositional  SAT  solvers.  As  the  datapath  (register  width) 
increases  the  corresponding  SAT  problems  become  harder.  Recent  work 
[49,  107,  82,  48]  addresses  these  limitations  by  eliminating  or  reducing  the 
need  for  bit-blasting.  More  research  needs  to  be  done  in  order  to  handle 
non-linear  operations  such  as  multiplication/division  efficiently.  Another 
promising  direction  is  to  use  the  non-clausal  SAT  solvers  in  a  bit-blasting 
approach  for  deciding  bit-vector  arithmetic  formulas. 

•  Interpolating  Theorem  Provers:  Modern  hardware  and  software  verification 
techniques  expect  the  decision  procedures  to  provide  proofs  of  unsatisfia¬ 
bility  and  interpolants.  Generating  interpolants  for  integer  linear  arithmetic 
and  bit-vector  arithmetic  is  a  challenging  task.  In  this  thesis  we  presented 
efficient  interpolation  algorithms  for  subsets  of  integer  linear  arithmetic. 
One  direction  for  future  research  is  to  use  branch-and-cut  algorithms  for 
generating  proofs  of  unsatisfiability  and  interpolants  for  full  integer  linear 
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arithmetic.  In  principle  one  can  also  reduce  many  bit- vector  arithmetic  for¬ 
mulas  to  integer  linear  arithmetic  formulas  [45].  Thus,  an  interpolating  the¬ 
orem  prover  for  integer  linear  arithmetic  can  also  be  used  to  obtain  inter- 
polants  for  bit- vector  arithmetic  formulas. 

•  Combination  of  Abstraction  Techniques:  In  most  predicate  abstraction  and 
CEGAR  based  tools,  spurious  behavior  in  the  abstract  model  is  removed  by 
adding  new  predicates  or  making  the  relationships  between  existing  predi¬ 
cates  more  precise.  Thus,  even  the  information  that  can  be  discovered  ef¬ 
ficiently  using  other  abstract  domains  is  learned  only  through  multiple  re¬ 
finement  iterations  in  form  of  new  predicate  relationships.  Large  number  of 
predicates  pose  problem  as  both  the  predicate  abstraction  computation  and 
the  model  checking  of  abstraction  is  exponential  in  the  number  of  predi¬ 
cates.  This  motivates  the  need  for  combining  various  abstraction  techniques 
[78,  93,  140], 

It  context  of  circuits  it  maybe  beneficial  to  combine  predicate  abstraction 
with  memory  abstraction  techniques  [80,  107]  and  symbolic  trajectory  eval¬ 
uation  [25]  in  order  to  handle  large  memories  efficiently.  The  abstraction 
techniques  based  on  uninterpreted  functions  can  help  in  dealing  with  large 
datapaths  [28,  27].  Finally,  some  combination  of  bit-level  abstraction  tech¬ 
niques  [102,  142,  53,  115,  86,  113,  87]  and  word-level  abstraction  tech¬ 
niques  [50,  28,  95,  140,  43]  is  needed  in  order  to  handle  industrial  circuits. 


189 


190 


Bibliography 


[1]  AIGER,  http  :  /  / fmv .  jku  .  at /aiger.  4.10,  4.10.1 

[2]  BLAST  2.4  website,  http://mtc.epfl.ch/software-tools/ 
blast/.  1.2.4,  6.8.1 

[3]  Cadence  smv.  http://www.cadence.com/webforms/cbl_ 
software/ index  .  aspx.  5.4.2,  5.6 

[4]  CMUSAT  sat  solver  description,  http://www.cs.cmu.edu/ 
~h  jain/papers/ cmusat-solvers  .pdf.  4.10.2 

[5]  EBMC  website,  http  :/ /www .  verify  .  ethz  .  ch/ebmc/.  1 

[6]  Edimacs  format.  www.satcompetition.org/2005/edimacs. 
pdf.  3.8 

[7]  Hardware  model  checking  competition,  http://fmv.jku.at/ 
hwmcc07/.  4.10.1 

[8]  Minisat  sat  solver.  http://www.cs.chalmers.se/Cs/ 

Research/FormalMethods/MiniSat /.  1.1,  1.2.1,  3.8,  4.10.2,  5.6 


191 


[9]  MiniSAT++  sat  solver  description,  http  :/ /www-sr  .  inf  ormatik  . 
uni-tuebingen . de/ sat -race-200  8/ descriptions/ 
solver_2  6.pdf.  4.10.2,4.10.3 

[10]  M.N.  Velev,  http :  /  / www .  ece  .  emu  .  edu/~mvelev.  4.10.1 

[11]  Nusmv  model  checker,  http  :  / / nusmv .  irst .  itc  .  it/.  5.4.2 

[12]  Opencores.  http://www.opencores.org/.  5.6.1 

[13]  Picosat  sat  solver,  http  :/ /fmv .  jku  .  at /picosat/.  1.1,4.10.2 

[14]  Rsat  sat  solver,  http://reasoning.cs.ucla.edu/rsat/.  1.1, 
4.10.2 

[15]  SAT  competition  2007,  http : // www . satcompet it ion . org/ 
2007/.  4.10.1 

[16]  SATABS  1.9  website,  http://www.verify.ethz.ch/satabs/. 

6.8.1 

[17]  SatMate  website.  http://www.cs.cmu.edu/~modelcheck/ 
satmate.  3.8 

[18]  Siege  sat  solver,  http://www.cs.sfu.ca/~loryan/personal. 

1.1,  3.8 

[19]  SMV2QBF,  http  :  /  /  fmv .  jku  .  at  / smv2qbf .  4.10.1 


192 


[20]  Sun  picojava.  http://www.sun.com/processors/ 

technologies.html.  5.6.1 

[21]  TPS  and  ETPS.  http://gtps.math.cmu.edu/tps-papers. 
html.  3 

[22]  UCLID  verification  tool,  http  : //www .  cs  .  emu  .  edu/~ucl id/.  3.8, 

4.10.1 

[23]  VCEGAR  1.3  website,  http  :  /  / www .  cs  .  emu  .  edu/~modelcheck/ 
veegar/.  1.4,  5.6,  6.8.1 

[24]  Yices  1.0.11  website,  http  :  /  / yices  .  csl .  sri  .  com/.  6.8.2,  D.10 

[25]  Mark  D.  Aagaard,  Robert  B.  Jones,  and  Carl-Johan  H.  Seger.  Combining 
theorem  proving  and  trajectory  evaluation  in  an  industrial  environment.  In 
Design  automation  conference ,  pages  538-541,  1998.  7 

[26]  Parosh  Aziz  Abdulla,  Per  Bjesse,  and  Niklas  Een.  Symbolic  Reachability 
Analysis  Based  on  SAT-Solvers.  In  TACAS  ’00:  Proceedings  of  the  6th 
International  Conference  on  Tools  and  Algorithms  for  Construction  and 
Analysis  of  Systems,  pages  411-425,  London,  UK,  2000.  Springer- Verlag. 

1.2.1 

[27]  Z.  S.  Andraus,  M.  H.  Liffiton,  and  K.  A.  Sakallah.  Refinement  strategies  for 
verification  methods  based  on  datapath  abstraction.  In  Asia  South  Pacific 
design  automation  conference,  pages  19-24,  2006.  1.2.4,  7 


193 


[28]  Z.  S.  Andraus  and  K.  A.  Sakallah.  Automatic  abstraction  and  verification  of 
Verilog  models.  In  Proceedings  of  the  4 1 st  Annual  Conference  on  Design 
Automation  (DAC),  pages  218-223.  ACM  Press,  2004.  1.2.4,  7 

[29]  Peter  B.  Andrews.  Theorem  Proving  via  General  Matings.  J.  ACM , 
28(2):  193-214,  1981.  1.1.1,  2,  3 

[30]  Peter  B.  Andrews.  An  Introduction  to  Mathematical  Logic  and  Type  The¬ 
ory:  to  Truth  through  Proof.  Kluwer  Academic  Publishers,  Dordrecht, 
second  edition,  2002.  1.1.1,  2,  2.2,  1,  2.2,  2.2 

[31]  Domagoj  Babic  and  Alan  J.  Hu.  Calysto:  Scalable  and  Precise  Extended 
Static  Checking.  In  30th  International  Conference  on  Software  Engineer¬ 
ing,  ICSE  2008,  May  10-18,  2008,  Proceedings,  2008.  1.1 

[32]  Domagoj  Babic  and  Madanlal  Musuvathi.  Modular  Arithmetic  Decision 
Procedure.  Technical  Report  TR-2005-1 14,  Microsoft  Research  Redmond, 
2005.  1.2.4,  6.2 

[33]  T.  Ball  and  S.  K.  Rajamani.  Automatically  validating  temporal  safety  prop¬ 
erties  of  interfaces.  In  The  8r/'  International  SPIN  Workshop  on  Model 
Checking  of  Software,  pages  103-122,  2001.  1.2.1,  1.2.3,  5,  5.1 

[34]  T.  Ball  and  S.K.  Rajamani.  Boolean  programs:  A  model  and  process  for 
software  analysis.  Technical  Report  2000-14,  Microsoft  Research,  Febru¬ 
ary  2000.  5 


194 


[35]  Thomas  Ball,  Byron  Cook,  Satyaki  Das,  and  Sriram  Rajamani.  Refining 
approximations  in  software  predicate  abstraction.  In  Tools  and  Algorithms 
for  the  Construction  and  Analysis  of  Systems  (TACAS),  pages  388-403. 
Springer,  2004.  5 

[36]  Thomas  Ball,  Byron  Cook,  Shuvendu  K.  Lahiri,  and  Lintao  Zhang.  Zap- 
ato:  Automatic  theorem  proving  for  predicate  abstraction  refinement.  In 
Computer  Aided  Verification.  Springer,  2004.  5 

[37]  Thomas  Ball,  Rupak  Majumdar,  Todd  Millstein,  and  Sriram  K.  Rajamani. 
Automatic  predicate  abstraction  of  C  programs.  In  PLDl  '01:  Proceedings 
of  the  ACM  S1GPLAN  2001  conference  on  Programming  language  design 
and  implementation,  pages  203-213,  New  York,  NY,  USA,  2001.  ACM.  5 

[38]  Clark  W.  Barrett,  David  L.  Dill,  and  Jeremy  R.  Levitt.  A  decision  procedure 
for  bit-vector  arithmetic.  In  DAC  '98:  Proceedings  of  the  35th  annual 
conference  on  Design  automation,  pages  522-527 ,  New  York,  NY,  USA, 
1998.  ACM  Press.  1.2.4,  6.2 

[39]  Jason  Baumgartner,  Andreas  Kuehlmann,  and  Jacob  A.  Abraham.  Property 
checking  via  structural  analysis.  In  Computer  Aided  Verification,  pages 
151-165.  Springer- Verlag,  2002.  1.2.4 

[40]  Wolfgang  Bibel.  On  Matrices  with  Connections.  J.  ACM,  28(4):633-645, 
1981.  3 


195 


[41]  Amin  Biere.  Picosat  essentials.  Journal  on  Boolean  Satisfiability,  Boolean 
Modeling  and  Computation  (JSAT),  2008.  1.1 

[42]  Armin  Biere,  Alessandro  Cimatti,  Edmund  M.  Clarke,  and  Yunshan  Yhu. 
Symbolic  model  checking  without  BDDs.  In  Tools  and  Algorithms  for 
Construction  and  Analysis  of  Systems,  pages  193-207,  1999.  1.1,  1.2.1, 
5.4.2 

[43]  Per  Bjesse.  A  practical  approach  to  word  level  model  checking  of  industrial 
netlists.  In  CAV ,  pages  446-458,  2008.  7 

[44]  Alexander  Bockmayr  and  Volker  Weispfenning.  Solving  numerical  con¬ 
straints.  In  A.  Robinson  and  A.  Voronkov,  editors,  Handbook  of  Automated 
Reasoning,  pages  751-842.  2001.  6.1,  6.4,  6.7,  6.7,  D.4 

[45]  Marco  Bozzano,  Roberto  Bruttomesso,  Alessandro  Cimatti,  Anders 
Franzen,  Ziyad  Hanna,  Zurab  Khasidashvili,  Amit  Palti,  and  Roberto  Se- 
bastiani.  Encoding  RTL  Constructs  for  MathSAT:  a  Preliminary  Report. 
Electr.  Notes  Theor.  Comput.  Sci.,  144(2):3-14,  2006.  7 

[46]  Marco  Bozzano,  Roberto  Bruttomesso,  Alessandro  Cimatti,  Tommi  A. 
Junttila,  Peter  van  Rossum,  Stephan  Schulz,  and  Roberto  Sebastiani.  An 
incremental  and  layered  procedure  for  the  satisfiability  of  linear  arithmetic 
logic.  In  TACAS,  pages  317-333,  2005.  7 

[47]  Robert  Brummayer  and  Armin  Biere.  C32sat:  Checking  c  expressions.  In 
CAV,  pages  294-297,  2007.  4.10.1 


196 


[48]  Roberto  Bruttomesso,  Alessandro  Cimatti,  Anders  Franzen,  Alberto  Grig- 
gio,  Ziyad  Hanna,  Alexander  Nadel,  Amit  Palti,  and  Roberto  Sebastiani.  A 
Lazy  and  Layered  SMT(BV)  Solver  for  Hard  Industrial  Verification  Prob¬ 
lems.  In  Computer  Aided  Verification  (CAV  ’07),  Berlin,  Germany,  July 
2007.  Springer- Verlag.  1.2.4,  6.2,  7 

[49]  R.  E.  Bryant,  D.  Kroening,  J.  Ouaknine,  S.  A.  Seshia,  O.  Strichman,  and 
B.  Brady.  Deciding  bit- vector  arithmetic  with  abstraction.  In  Tools  and 
Algorithms  for  the  Construction  and  Analysis  of  Systems  (TACAS),  2007. 
1.2.4,  6.2,  7 

[50]  R.  E.  Bryant,  S.  K.  Lahiri,  and  S.  A.  Seshia.  Modeling  and  verifying  sys¬ 
tems  using  a  logic  of  counter  arithmetic  with  lambda  expressions  and  un¬ 
interpreted  functions.  In  Computer  Aided  Verification,  \Ath  International 
Conference,  CAV  2002,  pages  78-92,  2002.  1.2.4,  7 

[51]  Randal  E.  Bryant.  Graph-based  algorithms  for  Boolean  function  manipu¬ 
lation.  IEEE  Trans.  Comput.,  35(8):677-691,  1986.  1.2.1 

[52]  J.  R.  Burch,  E.  M.  Clarke,  K.  L.  McMillan,  D.  L.  Dill,  and  L.  J.  Hwang. 
Symbolic  model  checking:  1020  states  and  beyond.  Information  and  Com¬ 
pulation,  98(2):  1 42-170,  1992.  1.2.1 

[53]  Pankaj  Chauhan,  Edmund  M.  Clarke,  James  H.  Kukula,  Samir  Sapra,  Hel¬ 
mut  Veith,  and  Dong  Wang.  Automated  abstraction  refinement  for  model 


197 


checking  large  state  spaces  using  SAT  based  conflict  analysis.  In  Formal 
Methods  in  Computer  Aided  Design ,  pages  33-51,  2002.  1.1,7 

[54]  Alessandro  Cimatti,  Alberto  Griggio,  and  Roberto  Sebastiani.  Efficient 
interpolation  in  satisfiability  modulo  theories.  In  TACAS,  2008.  To  appear. 
1.3,  1.3.2,  6.1,  6.2,  6.7.1,  D.7 

[55]  E.  Clarke,  O.  Grumberg,  S.  Jha,  Y.  Lu,  and  Veith  H.  Counterexample- 
guided  abstraction  refinement.  In  CAV,  pages  154-169.  Springer,  2000. 
1.2.1,  5.4 

[56]  E.  Clarke,  O.  Grumberg,  S.  Jha,  Y.  Lu,  and  H.  Veith.  Counterexample- 
guided  abstraction  refinement  for  symbolic  model  checking.  J.  ACM ,  50(5), 

2003.  6.1 

[57]  E.  Clarke,  O.  Grumberg,  and  D.E.  Long.  Model  checking  and  abstraction. 
In  Principles  of  Programming  Languages,  1992.  5.3 

[58]  E.  Clarke,  O.  Grumberg,  and  D.  Peled.  Model  Checking.  MIT  Press,  1999. 
1.2.1,  1.2.4,  5.3,  5.4.1 

[59]  E.  Clarke,  D.  Kroening,  N.  Sharygina,  and  K.  Yorav.  Predicate  abstraction 
of  ANSI-C  programs  using  SAT.  Formal  Methods  In  System  Design,  25, 

2004.  5,  5.1,  5.3 

[60]  E.  M.  Clarke  and  E.  A.  Emerson.  Synthesis  of  synchronization  skeletons  for 
branching  time  temporal  logic.  In  Logic  of  Programs:  Workshop,  volume 
131  of  LNCS.  Springer,  1981.  1.2.1 


198 


[61]  Edmund  Clarke,  Orna  Grumberg,  Somesh  Jha,  Yuan  Lu,  and  Helmut  Veith. 
Counterexample-guided  abstraction  refinement  for  symbolic  model  check¬ 
ing.  J.  ACM ,  50(5):752-794,  2003.  1.2.1 

[62]  Edmund  Clarke,  Daniel  Kroening,  Natasha  Sharygina,  and  Karen  Yorav. 
SATABS:  SAT -based  predicate  abstraction  for  ANSI-C.  In  Tools  and  Algo¬ 
rithms  for  the  Construction  and  Analysis  of  Systems  (TACAS  2005 ),  volume 
3440  of  Lecture  Notes  in  Computer  Science ,  pages  570-574.  Springer  Ver- 
lag,  2005.  1.1,5 

[63]  Edmund  Clarke,  Muralidhar  Talupur,  and  Dong  Wang.  SAT  based  predicate 
abstraction  for  hardware  verification.  In  In  Theory  and  Applications  of 
Satisfiability  Testing  (SAT),  2003.  1.2.4,  5.1,  5.5,  5.5.2 

[64]  Edmund  M.  Clarke,  Daniel  Kroening,  and  Flavio  Lerda.  A  Tool  for  Check¬ 
ing  ANSI-C  Programs.  In  TACAS,  pages  168-176,  2004.  1.1 

[65]  Edmund  M.  Clarke  and  Helmut  Veith.  Counterexamples  revisited:  Princi¬ 
ples,  algorithms,  applications.  In  Verification:  Theory  and  Practice,  pages 
208-224,  2003.  5.3 

[66]  Stephen  A.  Cook.  The  complexity  of  theorem-proving  procedures.  In 
STOC,  pages  151-158,  1971.  1.1 

[67]  William  Craig.  Linear  Reasoning.  A  New  Form  of  the  Herbrand-Gentzen 
Theorem.  J.  Symb.  Log.,  22(3):250-268,  1957.  1.3 


199 


[68]  David  Cyrluk,  M.  Oliver  Moller,  and  Harald  RueB.  An  efficient  decision 
procedure  for  the  theory  of  fixed-sized  bit-vectors.  In  CAV  ’ 97 :  Proceed¬ 
ings  of  the  9th  International  Conference  on  Computer  Aided  Verification , 
pages  60-71,  London,  UK,  1997.  Springer- Verlag.  6.2 

[69]  Satyaki  Das  and  David  L.  Dill.  Successive  approximation  of  abstract  tran¬ 
sition  relations.  In  Proceedings  of  LICS,  2001.  23 

[70]  Martin  Davis,  George  Logemann,  and  Donald  Loveland.  A  machine  pro¬ 
gram  for  theorem-proving.  Commun.  ACM,  5(7):394- 397,  1962.  1.1,  2, 
4 

[7 1  ]  Martin  Davis  and  Hilary  Putnam.  A  computing  procedure  for  quantification 
theory.  J.  ACM ,  7(3):201-215,  1960.  1.1,  2,  4 

[72]  Flavio  M.  de  Paula  and  Alan  J.  Hu.  An  effective  guidance  strategy  for 
abstraction-guided  simulation.  In  DAC,  June  4-8  2007.  5.6.1 

[73]  David  Detlefs,  Greg  Nelson,  and  James  B.  Saxe.  Simplify:  A  theorem 
prover  for  program  checking.  Technical  Report  HPL-2003-148,  HP  Labs, 
2003.  5 

[74]  Bruno  Dutertre  and  Leonardo  Mendonga  de  Moura.  A  Fast  Linear- 
Arithmetic  Solver  for  DPLL(T).  In  CAV,  pages  81-94,  2006.  6.2,  7 

[75]  Niklas  Een  and  Armin  Biere.  Effective  Preprocessing  in  SAT  Through 
Variable  and  Clause  Elimination.  In  SAT,  pages  61-75,  2005.  1.1,  2.1 


200 


[76]  Niklas  Een,  Alan  Mishchenko,  and  Niklas  Sorensson.  Applying  Logic  Syn¬ 
thesis  for  Speeding  Up  SAT.  In  SAT ,  pages  272-286,  2007.  4.10.3 

[77]  Niklas  Een  and  Niklas  Sorensson.  An  Extensible  SAT-solver.  In  SAT,  pages 
502-518,2003.  1.1 

[78]  Jeffrey  Fischer,  Ranjit  Jhala,  and  Rupak  Majumdar.  Joining  dataflow  with 
predicates.  In  ESEC/SIGSOFT  FSE,  pages  227-236,  2005.  7 

[79]  M.  K.  Ganai,  R  Ashar,  A.  Gupta,  L.  Zhang,  and  S.  Malik.  Combin¬ 
ing  Strengths  of  Circuit-based  and  CNF-based  Algorithms  for  a  High- 
performance  SAT  solver.  In  DAC,  2002.  1.1 

[80]  Malay  K.  Ganai,  Aarti  Gupta,  and  Pranav  Ashar.  Efficient  modeling  of 
embedded  memories  in  bounded  model  checking.  In  Computer  Aided  Ver¬ 
ification,  pages  440-452,  2004.  7 

[81]  Vijay  Ganesh,  Sergey  Berezin,  and  David  L.  Dill.  A  decision  procedure  for 
fixed-width  bit-vectors.  Technical  Report  CSTR  2007-06,  Stanford  Com¬ 
puter  Science  Department,  2005.  6.2 

[82]  Vijay  Ganesh  and  David  L.  Dill.  A  decision  procedure  for  bit-vectors  and 
arrays.  In  Computer  Aided  Verification  (CAV  ’07),  Berlin,  Germany,  July 
2007.  Springer- Verlag.  1.2.4,  6.2,  7 

[83]  H.  Ganzinger,  G.  Hagen,  R.  Nieuwenhuis,  A.  Oliveras,  and  C.  Tinelli. 
DPLL(T):  Fast  Decision  Procedures.  In  R.  Alur  and  D.  Peled,  editors,  16th 


201 


International  Conference  on  Computer  Aided  Verification,  CAV’04,  vol¬ 
ume  31 14  of  Lecture  Notes  in  Computer  Science,  pages  175-188.  Springer, 
2004.  7 

[84]  E.  Goldberg  and  Y.  Novikov.  BerkMin:  A  Fast  and  Robust  Sat-Solver.  In 
DATE,  2002.  1.1,  3.8 

[85]  S.  Graf  and  H.  Sai'di.  Construction  of  abstract  state  graphs  with  PVS. 
In  Computer  Aided  Verification  (CAV),  volume  1254,  pages  72-83,  1997. 
1.2.3,  5,5.3 

[86]  Aarti  Gupta,  Malay  Ganai,  Zijiang  Yang,  and  Pranav  Ashar.  Iterative  ab¬ 
straction  using  SAT -based  BMC  with  proof  analysis.  In  International  con¬ 
ference  on  Computer-aided  design  (ICCAD),  page  416,  2003.  1.1,  1.2.2, 
7 

[87]  Anubhav  Gupta.  Learning  Abstractions  for  Model  Checking.  PhD  thesis, 
Carnegie  Mellon  University,  2006.  1.1,  1.2.2,  7 

[88]  T.  A.  Henzinger,  R.  Jhala,  R.  Majumdar,  and  G.  Sutre.  Lazy  abstraction.  In 
Principles  of  Programming  Languages,  pages  58-70,  2002.  5.1,  5.4.2 

[89]  Thomas  A.  Henzinger,  Ranjit  Jhala,  Rupak  Majumdar,  and  Kenneth  L. 
McMillan.  Abstractions  from  proofs.  In  Proceedings  of  the  31st  ACM 
SIGPLAN-SIGACT  symposium  on  Principles  of  programming  languages, 
pages  232-244.  ACM  Press,  2004.  1.2.4,  1.3,  6,  6.8.1 


202 


[90]  F.  Ivancic,  I.  Shlyakhter,  A.  Gupta,  Malay  K.  Ganai,  V.  Kahlon,  C.  Wang, 
and  Z.  Yang.  Model  checking  C  programs  using  F-SOFT.  In  International 
Conference  on  Computer  Design  (ICCD  2005).  IEEE,  2005.  1.1,  5 

[91]  Himanshu  Jain,  Constantinos  Bartzis,  and  Edmund  M.  Clarke.  Satisfiabil¬ 
ity  checking  of  non-clausal  formulas  using  general  matings.  In  9th  Inter¬ 
national  Conference  on  Theory  and  Applications  of  Satisfiability  Testing 
(SAT),  pages  75-89,  2006.  1.4 

[92]  Himanshu  Jain,  Edmund  M.  Clarke,  and  Oma  Grumberg.  Efficient  Craig 
Interpolation  for  Linear  Diophantine  (Dis)Equations  and  Linear  Modular 
Equations.  In  20th  International  Conference  on  Computer  Aided  Verifica¬ 
tion  (CAV),  2008.  1.4 

[93]  Himanshu  Jain,  Franjo  Ivancic,  Aarti  Gupta,  Ilya  Shlyakhter,  and  Chao 
Wang.  Using  statically  computed  invariants  inside  the  predicate  abstraction 
and  refinement  loop.  In  CAV,  pages  137-151,  2006.  7 

[94]  Himanshu  Jain,  Franjo  Ivancic,  Aarti  Gupta,  and  Malay  K.  Ganai.  Local¬ 
ization  and  register  sharing  for  predicate  abstraction.  In  Tools  and  Algo¬ 
rithms  for  the  Construction  and  Analysis  of  Systems  (TACAS),  pages  397- 
412,  2005.  5.5.2 

[95]  Himanshu  Jain,  Daniel  Kroening,  Natasha  Sharygina,  and  Edmund  Clarke. 
Word  Level  Predicate  Abstraction  and  Refinement  for  Verifying  RTL  Ver- 
ilog.  In  Design  Automation  Conference  (DAC),  June  2005.  1.4,  7 


203 


[96]  Himanshu  Jain,  Daniel  Kroening,  Natasha  Sharygina,  and  Edmund  Clarke. 
VCEGAR:  Verilog  counterexample  guided  abstraction  refinement.  In  Pro¬ 
ceedings  ofTACAS  2007,  volume  4424  of  Lecture  Notes  in  Computer  Sci¬ 
ence,  pages  583-586.  Springer,  2007.  1.4 

[97]  Himanshu  Jain,  Daniel  Kroening,  Natasha  Sharygina,  and  Edmund  Clarke. 
Word  level  predicate  abstraction  and  refinement  for  verifying  RTL  Verilog. 
IEEE  Transactions  on  Computer-Aided  Design  of  Integrated  Circuits  and 
Systems  (TCAD),  27(2):366-379,  Feb.  2008.  1.4 

[98]  Matti  Jarvisalo,  Tommi  Junttila,  and  Ilkka  Niemela.  Unrestricted  vs  re¬ 
stricted  cut  in  a  tableau  method  for  boolean  circuits.  Annals  of  Mathematics 
and  Artificial  Intelligence,  44(4):373-399,  2005.  1.1 

[99]  Ranjit  Jhala  and  Kenneth  L.  McMillan.  A  practical  and  complete  approach 
to  predicate  refinement.  In  TACAS,  pages  459-473,  2006.  1.3,  6 

[100]  Deepak  Kapur,  Rupak  Majumdar,  and  Calogero  G.  Zarba.  Interpolation  for 
data  structures.  In  SIGSOFT  ’06/FSE-14,  pages  105-116.  ACM,  2006.  1.3, 
6.2 

[101]  Daniel  Kroening  and  Georg  Weissenbacher.  Lifting  propositional  inter- 
polants  to  the  word-level.  In  FMCAD,  pages  85-89.  IEEE,  2007.  1.3,  6.2 

[102]  R.R  Kurshan.  Computer-aided  verification  of  coordinating  processes:  the 
automata-theoretic  approach.  Princeton  University  Press,  1994.  1.2.1, 
1.2.2,  7 


204 


[103]  S.  K.  Lahiri,  R.  E.  Bryant,  and  B.  Cook.  A  symbolic  approach  to  predicate 
abstraction.  In  Computer-Aided  Verification  (CAV),  number  2725,  pages 
141-153.  Springer,  2003.  1.1,5 

[104]  Shuvendu  K.  Lahiri  and  Randal  E.  Bryant.  Indexed  predicate  discovery  for 
unbounded  system  verification.  In  CAV ,  pages  135-147,  2004.  1.2.4,  2 

[105]  Florian  Lonsing  and  Armin  Biere.  Nenofex:  Expanding  NNF  for  QBF 
Solving.  In  11th  Inti.  Confi  on  Theory  and  Applications  of  Satisfiability 
Testing  (SAT’08),  2008.  7 

[106]  Feng  Lu,  Li-C.  Wang,  Kwang-Ting  Cheng,  and  Ric  C.-Y.  Huang.  A  Circuit 
SAT  Solver  With  Signal  Correlation  Guided  Learning.  In  DATE,  pages 
10892-10897,2003.  1.1 

[107]  R  Manolios,  S.  K.  Srinivasan,  and  D.  Vroon.  Automatic  memory  reductions 
for  RTL-level  verification.  In  1CCAD ,  2006.  1.2.4,  6.2,  7 

[108]  Joao  P.  Marques-Silva  and  Karem  A.  Sakallah.  GRASP  -  A  New  Search 
Algorithm  for  Satisfiability.  In  Proceedings  of  IEEE/ACM  International 
Conference  on  Computer-Aided  Design,  pages  220-227,  November  1996. 
1.1,  1.2.1 

[109]  George  Ballard  Mathews.  Theory  of  numbers.  NY,  Chelsea  Pub.  Co.,  2nd 
edition,  1927.  6.5.2 


205 


[110]  David  McAllester,  Bart  Selman,  and  Henry  Kautz.  Evidence  for  invariants 
in  local  search.  In  AAAI,  pages  321-326,  Providence,  Rhode  Island,  1997. 
1.1 

[111]  K.  L.  McMillan.  Symbolic  Model  Checking.  PhD  thesis,  Carnegie  Mellon 
University,  1993.  1.2.1 

[112]  Kenneth  L.  McMillan.  Interpolation  and  SAT-Based  Model  Checking.  In 
CAV,  pages  1-13,  2003.  1.1,  1.2.2,  1.3,  1,  5.6.1,  6 

[1 13]  Kenneth  L.  McMillan.  An  interpolating  theorem  proven  In  Tools  and  Algo- 
rithmsfor  die  Construction  and  Analysis  of  Systems  (TACAS),  pages  16-30, 
2004.  1.2.4,  1.3,  1.3.2,  6.2,  6.7.1,  6.8.1,  7,  D.7 

[114]  Kenneth  L.  McMillan.  Lazy  Abstraction  with  Interpolants.  In  CAV,  pages 
123-136,2006.  1.3 

[1 15]  K.L.  McMillan  and  N.  Amla.  Automatic  abstraction  without  counterexam¬ 
ples.  In  TACAS  2003.  Springer,  2003.  1.1,  1.2.2,  7 

[116]  Andreas  Meier  and  Volker  Sorge.  A  New  Set  of  Algebraic  Benchmark 
Problems  for  SAT  Solvers.  In  SAT,  pages  459-466,  2005.  3.8 

[117]  Matthew  W.  Moskewicz,  Conor  F.  Madigan,  Ying  Zhao,  Lintao  Zhang, 
and  Sharad  Malik.  Chaff:  Engineering  an  efficient  SAT  solver.  In  Design 
Automation  Conference  (DAC’01),  pages  530-535,  June  2001.  1.1,  1.2.1, 
1.2.4,  3.7,  3.8,  4.2,  4.4.1 


206 


[118]  Markus  Miiller-Olm  and  Helmut  Seidl.  Analysis  of  modular  arithmetic. 
ACM  Trans.  Program.  Lang.  Syst.,  29(5):29,  2007.  6.8.1 

[119]  Kedar  S.  Namjoshi  and  Robert  R  Kurshan.  Syntactic  program  transforma¬ 
tions  for  automatic  abstraction.  In  Computer  Aided  Verification ,  number 
1855  in  LNCS,  2000.  5.1 

[120]  Greg  Nelson  and  Derek  C.  Oppen.  Simplification  by  cooperating  decision 
procedures.  ACM  Trans.  Program.  Lang.  Syst.,  1  (2):245— 257,  1979.  6.1, 
6.2,  6.7,  6.7,  D.7 

[121]  R.  Nieuwenhuis  and  A.  Oliveras.  DPLL(T)  with  Exhaustive  Theory  Prop¬ 
agation  and  its  Application  to  Difference  Logic.  In  K.  Etessami  and  S.  Ra- 
jamani,  editors,  17th  International  Conference  on  Computer  Aided  Verifi¬ 
cation,  CAV’05,  volume  3576  of  Lecture  Notes  in  Computer  Science,  pages 
321-334.  Springer,  2005.  7 

[122]  Robert  Nieuwenhuis,  Albert  Oliveras,  and  Cesare  Tinelli.  Solving  SAT 
and  SAT  Modulo  Theories:  From  an  abstract  Davis-Putnam-Logemann- 
Loveland  procedure  to  DPLL(T).  J.  ACM,  53(6):937-977,  2006.  7 

[123]  Frank  Pfenning  and  Dan  Nesmith.  Presenting  intuitive  deductions  via  sym¬ 
metric  simplification.  In  CADE-10:  Proceedings  of  the  tenth  international 
conference  on  Automated  deduction,  pages  336-350,  New  York,  NY,  USA, 
1990.  Springer- Verlag  New  York,  Inc.  7 


207 


[124]  David  A.  Plaisted  and  Steven  Greenbaum.  A  structure-preserving  clause 
form  translation.  J.  Symb.  Comput.,  2(3),  1986.  1.1,  2.1,  3.8,  4.10.2 

[125]  Mojzesz  Presburger.  Uber  die  vollstandigkeit  eines  gewissen  systems  der 
arithmetik  ganzer  zahlen,  in  welchem  die  addition  als  einzige  operation 
hervortritt.  In  Sprawozdanie  z.  I  Kongresu  metematykow  slowiahskich, 
Warszawa  1929,  pages  92-101,395,  Warsaw,  Poland,  1930.  Annotated  En¬ 
glish  version  in  [132].  6.2 

[126]  Pavel  Pudlak.  Lower  bounds  for  resolution  and  cutting  plane  proofs  and 
monotone  computations.  J.  Symb.  Log.,  62(3):981-998,  1997.  6.2,  D.8.1 

[127]  A.  Biere  R.  Brummayer.  Local  two-level  and-inverter  graph  minimization 
without  blowup.  In  2nd  Doctoral  Workshop  on  Mathematical  and  Engi¬ 
neering  Methods  in  Computer  Science  (MEMICS’06),  2006.  4.10.1 

[128]  Andrey  Rybalchenko  and  Viorica  Sofronie-Stokkermans.  Constraint  solv¬ 
ing  for  interpolation.  In  VMCAI,  pages  346-362,  2007.  1.3,  1.3.2,  6.2, 
6.7.1,  6.8.1,  6.8.2,  D.7,D.10 

[129]  A.  Schrijver.  Theory  of  linear  and  integer  programming.  John  Wiley  & 
Sons,  NY,  1986.  6.1,  6.2,  6.3,  6.4,  11,  6.4,  6.6,  5,  6.6.1,  6.7,  6.7,  D.4,  16, 
17, 18, 19 

[130]  Mary  Sheeran,  Satnam  Singh,  and  Gunnar  Stalmarck.  Checking  safety 
properties  using  induction  and  a  SAT-Solver.  In  Formed  Methods  in 
Computer-Aided  Design,  pages  108-125,  2000.  1.1,  4.10.1,  1 


208 


[131]  Joao  P.  Marques  Silva.  Improvements  to  the  implementation  of  interpolant- 
based  model  checking.  In  CHARME,  pages  367-370,  2005.  1 

[132]  R.  Stansifer.  Presburger’s  article  on  integer  arithmetic:  Remarks  and  trans¬ 
lation.  Technical  Report  TR84-639,  Cornell  University  Computer  Science 
Department,  1984.  125 

[133]  Arne  Storjohann  and  George  Labahn.  Asymptotically  fast  computation  of 
Hermite  normal  forms  of  integer  matrices.  In  ISSAC  '96:  Proceedings  of 
the  1996  international  symposium  on  Symbolic  and  cdgebraic  computation , 
pages  259-266,  1996.  6.6.1 

[134]  Philippe  Suter.  Non-Clausal  Satisfiability  Modulo  Theories.  Master’s  the¬ 
sis,  Ecole  Polytechnique  Federale  de  Lausanne,  2008.  7 

[135]  K.  Takamizawa,  T.  Nishizeki,  and  N.  Saito.  Linear-time  computability  of 
combinatorial  problems  on  series-parallel  graphs.  J.  ACM,  29(3):623-641, 
1982.  2.3.2 

[136]  The  PARI  Group.  PAR1/GP,  Version  2.3.2 ,  2006.  http :  /  / pari  .  math  . 
u-bordeaux.fr/.  6.8.2 

[137]  Christian  Thiffault,  Fahiem  Bacchus,  and  Toby  Walsh.  Solving  Non-clausal 
Formulas  with  DPLL  Search.  In  SAT ,  2004.  1.1 

[138]  G.S.  Tseitin.  On  the  complexity  of  derivation  in  propositional  calculus.  In 
Studies  in  Constructive  Mathematics  and  Mathematical  Logic,  pages  1 15— 
125,  1968.  1.1,2.1,4.10.2 


209 


[139]  VIS  model  checker,  http://vlsi.colorado.edu/~vis.  5.6.2 


[140]  C.  Wang,  H.  Kim,  and  A.  Gupta.  Hybrid  cegar:  Combining  variable  hiding 
and  predicate  abstraction.  In  In  International  Conference  on  Computer 
Aided  Design  (ICCAD’07),  2007.  1.2.4,  7 

[141]  Chao  Wang,  Franjo  Ivancic,  Malay  K.  Ganai,  and  Aarti  Gupta.  Deciding 
Separation  Logic  Formulae  by  SAT  and  Incremental  Negative  Cycle  Elim¬ 
ination.  In  LPAR ,  pages  322-336,  2005.  7 

[142]  D.  Wang,  P.  Ho,  J.  Long,  J.  Kukula,  Y.  Zhu,  T.  Ma,  and  R.  Damiano.  Formal 
property  verification  by  abstraction  refinement  with  formal,  simulation  and 
hybrid  engines.  In  DAC,  pages  35-40,  2001.  1.2.2,  7 

[143]  Yichen  Xie  and  Alexander  Aiken.  Saturn:  A  SAT-Based  Tool  for  Bug 
Detection.  In  CAV,  pages  139-143,  2005.  1.1 

[144]  Greta  Yorsh  and  Madanlal  Musuvathi.  A  combination  method  for  generat¬ 
ing  interpolants.  In  CADE ,  pages  353-368,  2005.  1.3,  6.2,  D.7 

[145]  H.  Zhang.  Sato:  An  efficient  propositional  proven  In  CADE-14,  pages 
272-275,  1997.  1.1 

[146]  L.  Zhang  and  S.  Malik.  Extracting  small  unsatisfiable  cores  from  unsatis- 
fiable  Boolean  formulas.  In  6th  International  Conference  on  Theory  and 
Applications  of  Satisfiability  Testing  (SAT).  Springer,  2003.  5.5.1 


210 


[147]  Lintao  Zhang.  Solving  QBF  by  Combining  Conjunctive  and  Disjunctive 
Normal  Forms.  In  AAAI,  2006.  7 

[148]  Lintao  Zhang,  Conor  F.  Madigan,  Matthew  W.  Moskewicz,  and  Sharad  Ma¬ 
lik.  Efficient  conflict  driven  learning  in  Boolean  satisfiability  solver.  In 
ICCAD,  pages  279-285,  2001.  3.5,  3.6 

[149]  Lintao  Zhang  and  Sharad  Malik.  Conflict  driven  learning  in  a  quantified 
Boolean  Satisfiability  solver.  In  ICCAD ,  pages  442-449,  2002.  7 


211 


212 


Appendix  A 

Improved  Construction  of 
Graphical  Representations 


In  the  construction  of  vpgraph  described  in  chapter  2  new  edges  are  created  when 
we  take  conjunction  of  two  formulas.  In  particular,  when  we  compute  vpgraph  for 
4*1  A  (|)2,  every  leaf  in  vpgraph  of  (|>i  is  connected  to  every  root  in  vpgraph  of  (])2. 
This  leads  to  |Li|  x  |/?2 1  new  edges,  where  L\  denotes  the  set  of  leafs  in  <f>i  and 
R2  denotes  the  set  of  roots  in  <j>2-  Thus,  the  construction  of  vpgraph  described  in 
chapter  2  can  take  0(k 2)  time/space  in  the  worst  case  where  k  is  the  size  of  the 
given  formula. 


Example  40  Consider  a  CNF  formula  4>i  =  (xi  V . . .  Vjc/)  A  (yi  V . . .  Vy/).  Observe 
that  size  of  4>i  is  linear  in  /.  The  vpgraph  of  <f>i  contains  l 2  edges  of  the  form  (/,  j) 
where  1  <  i  <  l,  1  <  i  <  2  x  /.  The  vpgraph  is  shown  in  Fig.  A.  1(a). 


213 


Figure  A.  1 :  Vpgraph  for  DNF  formula  (jq  A . . .  Ax/)  V  (yi  A . . .  Ay/),  (a)  Explicitly 
representing  l2  edges,  (b)  Implicitly  representing  l2  edges  using  a  hyperedge  from 
{1,...,/}  to  {/  +  1, . . . ,  2  x  /}. 

In  the  following  we  present  a  procedure  for  constructing  vpgraph  that  takes 
0(k )  time/space  in  the  worst  case  where  k  is  the  size  of  the  given  formula.  The 
basic  idea  is  as  follows:  instead  of  explicitly  adding  \L\  \  x  |/?2 1  edges  during  a 
conjunction,  we  create  one  hyperedge  (L\ .  /C).  A  hyperedge  (L.  R)  implicitly  rep¬ 
resents  that  there  is  an  edge  ( n ,  m )  from  every  node  n  e  L  to  every  node  m  e  R.  The 
representation  of  a  hyperedge  takes  0(\L\  +  |i?|)  space  and  it  represents  \L\  x  \R\ 
edges  implicitly. 

Example  41  Consider  a  CNF  formula  <f>i  =  (x\  V  . . .  V x{)  A  (yi  V  . . .  Vy/).  The 
vpgraph  (f)i  can  be  represented  in  0(1)  space  by  using  one  hyperedge  for  the  form 
(A,B),  where  A  —  {1  ,...,1},B  =  {l  +  x  l},Lit(i )  =  Xi,Lit(j)  —  yj,  1  < 

/</./+  1  <  /  <  2  x  /.  Representing  (A.B)  requires  0(1)  space.  It  implicitly 
represents  l2  edges  which  were  created  explicitly  by  the  construction  in  chapter 
A.  The  new  vpgraph  is  shown  in  Figure  A.  1(b). 


214 


We  formalize  the  improved  vpgraph  construction  below.  As  in  the  chapter  2, 
the  vpgraph  Gv(<|))  of  a  NNF  formula  (])  is  defined  as  a  tuple  (V,R,L,E ,Lit),  where 
V  is  the  set  of  nodes,  R  C  V  is  a  set  of  root  nodes,  L  C  V  is  a  set  of  leaf  nodes, 
Lit(n)  denotes  the  literal  associated  with  node  hgV.  The  main  change  is  that  the 
E  C  tP(V)  x  fP(V)  is  the  set  of  hyperedges. 

Given  (f).  we  can  construct  the  improved  vpgraph  Gv(< |))  =  (V,R,L,E ,Lit)  in¬ 
ductively  as  described  in  the  chapter  2.  The  only  difference  is  in  the  case  when 
we  handle  conjunction  of  two  sub-formulas. 

If  4>  =  4>  l  A  <f>2,  then  the  vpgraph  for  (f)  is  obtained  by  concatenating  the  vpgraph 
of  4>i  with  the  vpgraph  of  (|>2.  Let  Gv(<|>i)  =  (V\,Ri,Li,Ei,Liti)  and  Gv(<)) 2)  = 
(V2,R2,L2,E2,Lit2).  Then  Gv(( |))  contains  all  the  nodes  and  edges  in  Gv (4>  1 )  and 
Gv (<))2 ) -  But  Gv(( f>)  has  an  additional  hyperedge  from  leaves  of  Gv(4>i)  to  the  roots 
of  Gv((])2).  The  new  hyperedge  is  denoted  as  (L\,R2)  below.  The  set  of  roots  of 
Gv(( f>)  is  R\,  while  the  set  of  leaves  is  L2. 

Gv(§)  —  (Vi  UV2,Ri,L2,Ei  U  E2  U{(Li,R2)},Liti  U  Lit  2) 

The  same  idea  of  using  hyperedges  applies  during  the  construction  of  hpgraph. 
With  the  use  of  hyperedges  the  complexity  of  obtaining  vpgraph/lipgraph  is  linear 
in  the  size  of  the  given  NNF  formula. 
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Appendix  B 


Algorithms  from  Chapter  3 


B.l  Algorithm  for  Detection  of  Global  conflict 


We  say  that  a  global  conflict  occurs  when  an  assignment  o  falsifies  a  given  formula 
4>.  In  order  to  detect  this  conflict  we  use  Corollary  3  (Chapter  3).  This  requires 
checking  if  there  is  an  rl-path  n  in  hpgraph  G/,((f>)  =  (V' .  R'  .L' .  E' .  Lit')  such  that  o 
falsifies  7t.  We  present  an  0(V'  +  E')  algorithm  below.  We  reduce  the  problem  of 
finding  an  rl-path  7t  in  G/,(( |))  such  that  o  falsifies  7t  to  a  shortest  path  computation 
problem  as  follows:  It  is  assumed  that  o  is  consistent,  that  is,  it  does  not  contain 
opposite  literals.  For  each  node  n  eV'  we  assign  a  weight  w(n)  e  {0, 1,2}  to  n. 
The  assignment  of  weights  is  done  as  follows: 
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Figure  B .  1 :  (a)  Vpgraph  and  (b)  Hpgraph  for  formula  (a  V  c)  A  ( (b  A  u)  V  ( d  A  v))  A 
(-1  a  V  -i b). 


w(ri)  := 


0  :  -iLit(n)  e  o 
<  2  :  Lit(n)  e  o 
1  :  otherwise 


We  will  use  the  hpgraph  in  Fig.  B.l(b)  as  our  running  example.  If  o  =  {a,b}, 
then  the  weight  assigned  to  various  nodes  in  the  hpgraph  is  as  follows:  w(l)  = 
2,w(2)  =  l,w(3)  =  2,w(4)  =  l,w(5)  =  l,w(6)  =  l,w(7)  =  0,w(8)  =  0. 

Given  a  path  71  in  hpgraph,  we  define  the  length  of  71  to  be  the  sum  of  weights 
of  the  nodes  that  lie  on  7t.  For  each  node  n  in  the  hpgraph  we  compute  a  shortest 
path  estimate  bin)  which  represents  the  length  of  shortest  path  from  any  root  node 
to  n.  We  also  track  the  parent  par(n)  of  each  node  n  in  the  shortest  path  to  n. 
For  the  hpgraph  in  Fig.  B.l(b)  and  o  =  {a,b},  we  have  8(1)  =  2,8(2)  =  3,8(3)  = 
2,8(4)  =  2,8(5)  =  1,8(6)  =  2,8(7)  =0,8(8)  =0. 
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If  there  is  an  rl-path  %  (ni,...,nk)  in  Gh(§)  such  that  o  falsifies  n,  then 

8(«fc)  =  0.  This  is  because  n\  is  a  root  node  (by  definition  of  rl-path)  and  every 
node  on  n  has  a  weight  of  0  because  a  falsifies  each  node  on  n  (as  o  falsifies  n). 
Thus,  there  is  a  path  of  length  0  to  n %■  which  is  the  smallest  possible  length  due 
to  non-negative  weights.  Observe  that  is  a  leaf  node  by  definition  of  a  rl-path. 

The  following  claim  formalizes  the  above  idea  of  detecting  global  conflicts  using 
the  shortest  path  estimates. 

Claim  1  The  following  statements  are  equivalent: 

1.  o  falsifies  4>. 

2.  There  is  an  rl-path  n  in  Gh(f>)  such  that  a  falsifies  7t. 

3.  There  is  a  node  n  £  L'  such  that  8(«)  =  0. 

Given  a  hpgraph  and  an  assignment  we  compute  the  shortest  path  estimates  for 
each  node  in  the  hpgraph.  If  there  is  a  leaf  node  n  in  hpgraph  such  that  8(«)  =  0, 
then  there  is  a  global  conflict.  Otherwise,  there  is  no  global  conflict.  For  the 
hpgraph  in  Fig.  B.l(b)  and  o  =  {a,b},  we  have  8(8)  =  0  and  node  8  is  a  leaf 
node,  it  follows  from  the  above  claim  that  a  falsifies  (f>. 

Extraction  of  falsified  rl-path:  If  there  is  a  a  leaf  node  n  in  hpgraph  such  that 
8(m)  =  0,  then  the  actual  rl-path  (ending  at  n)  which  is  falsified  by  o  can  be  ob¬ 
tained  by  examining  the  parent  of  each  node  in  the  shortest  path  tree  starting  from 
node  n.  We  assume  that  parent  of  a  root  node  is  nil  node.  Then  the  required  rl- 
path  is  obtained  by  reversing  the  following  sequence  («,  par(n) ,  par(par(n)) , . . .  ,nil) 
and  removing  the  nil  node. 
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For  the  hpgraph  in  Fig.  B.l(b)  and  o  =  {a,b},  we  have  8(8)  =  0,  par( 8)  = 
7 ,par(7)  —  nil.  Thus,  the  rl-path  in  hpgraph  which  is  falsified  by  o  is  (7, 8). 
Obtaining  unit  literals  via  hpgraph:  If  there  is  no  leaf  node  n  in  hpgraph  such 
that  S(m)  =  0,  then  there  is  no  global  conflict.  In  this  case  the  set  of  implied 
assignments  under  o  can  be  obtained  by  applying  Corollary  6.  More  specifically 
if  there  is  an  rl-path  n  :=  (n\....  .nf)  in  G/,(( |>)  such  that  o  falsifies  all  but  one 
node  (say  ni,  1  <  i  <  k)  on  n  and  Lit(n/ )  is  not  yet  assigned  by  a,  then  8(nk )  —  1. 
This  is  because  n\  is  a  root  node  (by  definition  of  rl-path)  and  every  node  on  n 
different  from  nl  has  a  weight  of  0  and  n,  has  a  weight  of  1  as  Litfij)  has  not  set 
been  assigned  by  o.  Thus,  there  is  a  path  of  length  1  to  «/,  which  is  the  smallest 
possible  length  given  that  there  is  no  global  conflict,  that  is,  8(n*;)  f  0.  Observe 
that  nk  is  a  leaf  node  by  definition  of  a  rl-path.  The  following  claim  formalizes  the 
idea  of  detecting  unit  literals  using  the  shortest  path  estimates. 

Claim  2  Assuming  a  does  not  falsify  (|),  the  following  statements  are  equivalent: 

1.  G  falsifies  all  but  one  node  ( say  n)  on  a  rl-path  n  in  G/,(( |))  and  Litfn )  is  not  yet 
assigned  by  o. 

2.  There  is  a  node  n  G  L'  such  that  8(n)  =  1. 

Using  the  above  claim  it  is  possible  to  extract  various  implied  literals  by  exam¬ 
ining  leaf  nodes  whose  shortest  path  estimate  is  1  (assuming  no  global  conflict). 
If  there  is  a  a  leaf  node  n  in  hpgraph  such  that  8(n)  =  1,  then  the  actual  rl-path  n 
whose  all  but  one  node  is  falsified  by  current  assignment  o  can  be  obtained  by  ex¬ 
amining  the  parent  of  each  node  in  the  shortest  path  tree  starting  from  node  n.  This 
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allows  obtaining  both  the  implied  literal  /  and  unit-clause  (literals  corresponding 
to  nodes  on  n)  which  implied  l. 

Example  42  For  the  hpgraph  in  Fig.  B.l(b)  and  o  =  {a}.  The  shortest  path  es¬ 
timates  for  various  nodes  are  as  follows:  8(1)  =  2,8(2)  =  3,8(3)  =  1,8(4)  = 
2,8(5)  =  1,8(6)  =  2,8(7)  =  0,8(8)  =  1.  Observe  that  none  of  the  leaf  nodes 
n  e  (2, 4, 6, 8}  has  8(n)  =  0.  Thus,  there  is  no  global  conflict.  However,  8(8)  =  1 
which  means  that  there  is  an  rl-path  in  hpgraph  such  that  o  falsifies  all  but  one 
node  of  this  rl-path  (using  above  claim).  In  this  example,  the  required  rl-path 
is  (7,8).  Using  Corollary  5  Lit( 8)  =  ->b  must  be  set  to  true  under  the  current 
assignment  to  prevent  a  global  conflict. 

Efficiency  issues:  Since  the  hpgraph  is  a  DAG  the  computation  of  8(«)  for  all  n  can 
be  done  in  linear  time.  However,  in  practice  the  routine  for  detecting  global  con¬ 
flicts  is  called  very  often,  and  computing  8(«)  for  every  (un)assignment  to  a  vari¬ 
able  is  expensive.  Thus,  we  use  two  optimizations  which  are  crucial  for  efficiency: 
1)  incremental  shortest  path  computation:  whenever  a  variable  is  (un)assigned,  in¬ 
stead  of  computing  the  shortest  path  estimate  for  every  node  in  the  hpgraph,  we 
only  examine  the  nodes  whose  shortest  path  estimate  can  get  affected  due  to  this 
assignment.  2)  by  limiting  the  range  of  8(n)  to  only  (0, 1,°°}. 

B.2  Algorithm  for  Detection  of  Local  Conflict 

A  local  conflict  occurs  when  every  rl-path  in  Gv((|))  with  CRP(m)  as  prefix  con¬ 
tains  two  nodes  which  are  conflicting  and  one  of  the  conflicting  nodes  lies  on 
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Figure  B.2:  (a)  Vpgraph  for  formula  (a  V  c)  A  ((b  A  u  A  (~>a  V  ->b))  V  (d  A  v))  (b) 
assignment  of  conflict  labels  when  CRP  is  ()  and  m  =  1.  A  colored  node  /?  denotes 
conf(n)  is  true,  (c)  assignment  of  conflict  labels  when  CRP  is  (1)  and  m  —  3.  A 
local  conflict  occurs  as  conf( 3)  is  true. 


CRP  (m).  This  conflict  can  be  detected  by  using  a  linear  time  algorithm  as  de¬ 
scribed  below. 

Let  o  denote  the  set  of  literals  corresponding  to  the  nodes  on  CRP  (in) .  That 
is,  o  =  {Lit(n)\n  e  CRP (m)}.  In  order  to  detect  a  local  conflict,  we  compute  for 
each  node  n  in  the  vpgraph  a  flag  conf(n).  If  conf[n)  is  true  for  some  node  n, 
then  no  satisfiable  rl-path  with  CRP  (m)  as  prefix  can  pass  through  this  node.  A 
local  conflict  happens  when  conf(m)  becomes  true. 

We  compute  conf(n )  for  every  n  by  scanning  the  nodes  in  Gv(( |))  in  reverse 
topological  order  (recall  that  Gv(<)>)  is  a  DAG).  For  each  node  n  we  assign  conf(n) 
as  follows: 

1.  If  -iLit(n)  G  o,  then  set  conf(n)  to  true. 

2.  Else  if  conf(n ')  is  true  for  every  successor  n'  of  n,  then  set  conf(n)  to  true. 
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3.  Else  set  conf(n)  to  false. 


Example  43  Consider  the  vpgraph  in  Fig.  B.2(a).  Suppose  CRP  is  ()  and  m  =  1. 
Using  the  above  notation  o  =  {a}.  The  assignment  of  conflict  labels  sets  conf(l) 
to  true  and  conf(n )  to  false  for  all  other  n  as  shown  in  Fig.  B.2(b).  Since  con  f(  1 ) 
is  false,  there  is  no  local  conflict  when  extending  CRP  by  node  1.  Now  consider 
the  case  when  CRP  is  (1)  and  m  is  node  3.  In  this  case  o  =  {a,b}.  The  assignment 
of  conflict  labels  sets  conf(n)  =  true  for  n  e  {3, 5,7, 8}  to  true  and  conf(n)  to 
false  for  all  other  n  as  shown  in  Fig.  B.2(c).  Since  conf( 3)  is  true,  there  is  a  local 
conflict  when  extending  CRP  by  node  3. 

Efficiency  issues:  In  our  implementation  we  do  not  carry  out  the  above  compu¬ 
tation  of  scanning  the  entire  vpgraph  whenever  a  variable  is  (un)assigned.  In¬ 
stead,  we  incrementally  update  the  conf(n)  flags  by  remembering  them  across 
multiple  calls  to  the  local  conflict  detection  routine.  Furthermore,  our  algorithm 
only  looks  at  the  nodes  whose  conf(n)  flag  may  get  affected  due  to  a  variable 
(un)assignment. 
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Appendix  C 

Proof  of  Duality  Between  rl-cuts  and 
rl-paths 


Given  two  paths  7ti  :=  (mi, mf)  and  7X2  :=  (m^+i ,  . . . ,  mt),  we  use  7C]  .7X2  to  de¬ 
note  the  path  obtained  by  concatenating  7ti  with  7X2 ,  that  is,  (mi , . . . ,  7%,  /%+ 1 , . . . ,  mf ) . 
In  order  to  prove  theorems  6,7  we  make  use  of  the  following  lemmas. 

Lemma  8  Given  <|)  =  <f»i  V  <j)2-  The  following  are  equivalent: 

(a)  C  is  a  minimal  rl-cut  in  G/,((|)j )  or  G/,(( ^2) 

(b)  C  is  a  minimal  rl-cut  in  G/,(( |)). 

Proof.  Let  G*(<>i)  =  (V\,R\,L\,Ei,Lit\)  and  Gh{§2)  =  (' V2,R2,L2,E2,Lit2 ).  The 
hpgraph  of  (|)  is  obtained  by  connecting  the  leafs  in  the  hpgraph  of  <f>i  with  roots 
in  the  hpgraph  of  <])  (see  Figure  C.l).  Formally,  G/z (()))  =  (V\  U  V2,R\,Ln,E\  UE2  U 
(Li  xR2),LitiULit2). 

(a)  =>  (b):  We  consider  two  cases: 


225 


G*(<|>i)  G/,((j)2) 


C 


C 


Figure  C.l:  Hpgraph  of  <f>i  V  <f>2  is  obtained  by  connecting  hpgraph  of  (])i  with  the 
hpgraph  of  4>2- 


•  C  is  a  minimal  rl-cut  in  Gh{§i).  Every  rl-path  K  in  G/,(( |))  is  of  the  form 
7ti  .7X2,  where  7ti  is  a  rl-path  in  G/,((])i)  and  is  a  rl-path  in  G*  (4>2)-  Observe 
that  C  will  also  be  a  rl-cut  for  G/,(( ]))  as  every  rl-path  in  G/,((|)j  will  be  dis¬ 
connected  by  removing  nodes  from  C.  Suppose  C  is  not  a  minimal  rl-cut  in 
G/z ((f)),  then  there  must  exist  C'cC  such  that  C'  is  a  minimal  rl-cut.  But  this 
means  that  C'  is  also  a  minimal  rl-cut  for  G/z  ((f)  1  j  leading  to  a  contradiction. 
Thus,  C  is  a  minimal  rl-cut  in  G/z  (4>). 

•  C  is  a  minimal  rl-cut  in  G/z  (<f>2)  -  We  can  use  similar  reasoning  as  above  to 
prove  that  C  is  a  minimal  rl-cut  in  G/z  ((f)) . 

(b)  (a):  We  consider  three  cases. 

•  C  C  Vi.  It  is  easy  to  see  that  C  is  a  minimal  rl-cut  in  G/z ((|>i ) - 

•  CCV2.  It  is  easy  to  see  that  C  is  a  minimal  rl-cut  in  G/z (<f>2)- 

•  C  —  Ci  UC2,Ci  C  Vi,C2  C  V2,Ci  ^  0,C2  ^  0.  We  show  that  this  case  cannot 
arise  by  using  proof  by  contradiction.  Observe  that  C\  cannot  be  a  rl-cut  in 
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G*(<|>i) 


Gh(tyi) 


Figure  C.2:  Hpgraph  for  (|)i  V  §2- 


G/,(( (>i)  (otherwise  C\  UC2  cannot  be  a  minimal  rl-cut  in  G/, (<)>)).  Similarly, 
Co  cannot  be  a  rl-cut  in  G/,(( f>2)-  Thus,  there  exists  a  rl-path  7t  |  in  G/z  ((|>i ) 
which  does  not  contain  any  node  from  C\.  Similarly,  there  exists  a  rl-path 
%2  in  G/j  (4*2)  which  does  not  contain  any  node  from  C2.  The  rl-path  K  1.112 
belongs  to  G/z  (()))  and  does  not  contain  any  node  from  C\  UC2  (see  Figure 
C.2).  This  means  that  C\  UC2  cannot  be  a  rl-cut  for  G/,(( |))  leading  to  a 
contradiction. 


Lemma  9  Given  (f>  =  ((>1  A  <|)2-  Let  G/,(( f»i)  =  (Vi,Ri,Li,Ei,Liti)  and  G/?(( ^2)  — 
{V2-R2.L2.E2-  Lit 2).  Then  G/, (<f»)  is  obtained  by  taking  a  union  of  and 

G/,(( (>2).  That  is,  G/j ((f))  =  (V\  UV2?^l  U/?2 ,L\  UL2,E\  \J  Ei,Lit\  U  Litf).  The  fol¬ 
lowing  are  equivalent: 

(a)  Ci  is  a  minimal  rl-cut  in  G /2  ( (f>  1 )  and  C2  is  a  minimal  rl-cut  in  G/;  ((f>2  )• 

(b)  Ci  UC2  is  a  minimal  rl-cut  in  G/, (<[>),  where  C\  C  V\  .Ch  C  V?- 

Proof  (a)  =4*  (b):  Note  that  each  rl-path  in  G/7(( ]))  is  a  rl-path  in  either  G/2 (4>i )  or 
G/, (<f) 2)-  Thus,  Ci  UC2  is  a  rl-cut  in  G^(( ])).  It  is  also  easy  to  see  that  Ci  UC2  is  a 
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minimal  rl-cut  in  G/,(( |)).  Otherwise,  we  can  show  that  either  C\  is  not  a  minimal 
rl-cut  in  G/*(( [>i )  or  Ci  is  not  a  minimal  rl-cut  in  G/,(( f>2)- 

(b)  (a):  It  is  easy  to  see  that  C\  will  be  a  rl-cut  in  G/z ((f) i )  and  Ci  will  be  a  rl-cut 

in  G/7 (4>2) -  Since  C\  UC2  is  a  minimal  rl-cut  in  G/7 (()))  it  follows  that  both  Ci,C2 
are  minimal  rl-cuts  in  G/7(4>i),  G/7(<f)2),  respectively.  □ 

Theorem  6.  Given  hpgraph  G/,((|)j  and  vpgraph  Gv(§)  for  a  formula  (f).  Let  71  be 
a  rl-path  in  Gv(4>)-  Then  nodes  ('ll)  form  a  minimal  rl-cut  in  G/7  (4>). 

Proof  We  prove  this  theorem  by  induction  on  the  structure  of  <f>. 

•  (|)  is  a  literal  /:  In  this  case  both  G/;((|))  and  Gv  (4>)  contain  a  single  node  n 
with  Lit(n)  =  /.  In  this  case  the  rl-path  in  Gv(<|>)  is  simply  (n)  and  {«}  is  a 
rl-cut  for  G/;  (<)>). 

•  <[)  =  4>i  V  4>2-  Since  Gv(4>)  is  obtained  by  taking  a  union  of  Gv(4>i)  and  Gv((|)2) 
we  have  two  cases:  1)  n  is  a  rl-path  in  Gv((])i).  By  induction  hypothesis 
nodes  ('ll)  form  a  minimal  rl-cut  in  G/7 (4>  1 ).  From  lemma  8  it  follows  that 
nodes( 7t)  form  a  minimal  cut  in  G/,(( ])).  2)  71  is  a  rl-path  in  Gv(4>2)-  We  can 
use  similar  reasoning  as  case  1  to  conclude  that  nodes(tl)  form  a  minimal 
cut  in  G/7(4>) . 

•  c[)  =  (f>i  A  <f)2-  Since  Gv(4>)  is  obtained  by  connecting  leafs  in  GY, ( <f>  1 )  with  the 
roots  in  Gv(4>2),  7t  =  7Ci  .7t2  where  is  a  rl-path  in  Gv(<|)i)  and^2  is  a  rl-path 
in  Gv(<|>2).  By  induction  hypothesis  nodes(tl\ )  form  a  minimal  rl-cut  in  in 
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G/,( 7Ti)  and  nodes( 7C2)  form  a  minimal  rl-cut  in  in  G/Z(7l 2).  From  lemma 
9  it  follows  that  nodes  (tti)  Unodes^)  =  nodes( 7t)  form  a  minimal  cut  in 

□ 

Theorem  7.  Given  hpgraph  G/,(( |))  and  vpgraph  Gv(4>)  for  a  formula  cf).  Let  C 
be  a  minimal  rl-cut  in  G/,(( |)).  27icn  dzere  exists  a  rl-path  n  in  Gv (4>)  such  that 
C  =  nodes(Tl). 

Proof.  We  prove  this  theorem  by  induction  on  the  structure  of  (|). 

•  (])  is  a  literal  /:  In  this  case  both  G/2 (()))  and  Gv(4>)  contain  a  single  node  n 
with  Lit(n)  —  l.  In  this  case  C  =  {n}  and  n  —  (n). 

•  c|)  =  4>i  V  <f»2.  From  lemma  8  we  have  two  possible  cases.  1)  C  is  a  minimal 
cut  in  G/z (4>i ).  By  induction  hypothesis  there  exists  a  rl-path  71  in  Gv (<f>i ) 
such  that  C  =  nod es(n).  Since  Gv(<|))  is  obtained  by  taking  a  union  of  Gv(4>i ) 
and  Gv(<|>2)  it  follows  that  7t  is  a  rl-path  in  Gv(4>) -  2)  C  is  a  minimal  cut  in 
G/,(( ^2)-  Using  similar  reasoning  as  case  1  we  can  argue  that  there  exists  a 
rl-path  ;t  in  Gv(4>)  such  that  C  =  nodes(n). 

•  (|)  =  (f)  1  A  4>2-  From  lemma  9  it  follows  that  C  =  C\  UC2  where  C\  is  a  min¬ 
imal  rl-cut  in  G/Z((|)i )  and  C2  is  a  minimal  rl-cut  in  G/z (4>2) -  By  induction 
hypothesis  there  exists  a  rl-path  7l\  in  Gv(4»i )  such  that  C\  =  nodeslnf  and 
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there  exists  a  rl-path  712  in  Gv(( J>2)  such  that  C2  =  nodes(TZ 2).  But  7t  =  7ti .712 
is  a  rl-path  in  Gv(<|))  and  C  =  Ci  UC2  =  nodes  (fti)  U  nodes  (712)  =  nodes{  n). 
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Appendix  D 

Proofs  from  Chapter  6 

D.l  Proofs  from  Section  6.4 

Proof  of  Lemma  1 

Proof.  UCX  —  UD  is  a  linear  combination  of  equations  in  CX  =  D.  Let  Xo  be  an 
integral  solution  to  CX  =  D.  It  is  easy  to  verify  that  Xo  also  satisfies  UCX  = UD . 
Thus,  the  system  of  LDEs  CX  =  D  implies  the  LDE  UCX  =  UD  for  any  rational 
row  vector  U . 

Since  UCX o  —  UD  =  0,  any  rational  number  m  divides  UCX o  —  UD.  It  follows 
that  Xo  is  also  a  solution  to  the  LME  UCX  =m  UD.  Thus,  the  system  of  LDEs 
CX  =  D  implies  the  LME  U CX  =m  U D  for  any  rational  row  vector  U  and  rational 
number  m.  □ 
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Why  FAG  has  no  LDE  as  interpolant  in  Example  5. 


Proof.  Recall,  that  F  is  x  —  2y  —  0  and  Gis  x  —  2z—  1,  where  x,y,z  are  integers. 
Observe  that  F  has  an  integral  solution,  for  example,  x  =  2 ,y—  1 .  Thus,  by  lemma 
6  any  LDE  that  is  implied  by  F  must  be  of  the  form  r(x  —  2y  —  0),  where  r  is  a 
rational  number. 

Suppose  (F,  G)  have  an  LDE  I  as  an  interpolant.  Since  F  =>■  /,  I  must  be  of 
the  form  r(x  —  2 y  —  0).  But  I  can  only  contain  variable  x  (common  variable  of  F 
and  G).  This  is  possible  only  when  r  —  0.  With  r  =  0, 1  reduces  to  0  =  0  which  is 
not  unsatisfiable  with  G.  Thus,  (F.  G)  cannot  have  an  LDE  as  an  interpolant.  □ 

Proof  of  Lemma  2 

Proof.  By  definition  of  VA\B  the  coefficient  of  x\  £  VA\B  is  zero  in  each  equa¬ 
tion  of  BX  =  B' .  Thus,  the  coefficient  of  x,  £  VA\B  must  be  the  same  in  R\AX 
and  (R\A  +  R2B)X.  Since  R\A  +  RiB  is  integral  it  follows  that  the  coefficient  of 
Xj  £  VA  B  ( at )  in  the  partial  interpolant  is  an  integer.  □ 


D.1.1  Proof  of  Lemma  3 

Lemma  3.  The  partial  interpolant  R\AX  =  R\A'  satisfies  the  first  two  conditions 
in  the  definition  of  an  interpolant.  That  is, 

1.  AX  —  A'  implies  R\AX  =  R\A' 
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2.  ( R\AX  =  R\A')  ABX  —  B'  is  unsatisfiable 

If  a,  =  0  for  all  Xi  G  V a  B  ( equation  6. 1 ),  then  the  partial  interpolant  is  also  a  inter¬ 
polant  for  (AX  =  B.A'X  =  Br).  In  this  case  the  partial  interpolant  only  contains 
the  variables  from  Vab- 

Proof.  1.  AX  =  A'  implies  R\AX  =  R\A' .  This  follows  from  Lemma  1. 

2.  Observe  that  (i?iAX  =  R\A')  ABX  —  B1  is  a  system  of  LDEs 

RiA  R\A' 

X  = 

B  B' 

We  show  that  the  row  vector  [1,^2]  is  a  proof  of  unsatisfiability  of  7  A  (BX  —  B'). 
This  requires  showing  the  conditions  in  the  definition  of  proof  of  unsatisfiability 
are  met. 

-  To  show 

RiA 

[1,70]  is  integral. 

B 

The  above  product  is  equal  to  R\A  +  RiB  which  is  integral. 


-  To  show 


R\A' 

[1,70]  is  not  an  integer. 

B' 
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The  above  product  is  equal  to  R\A'  -\-R2B'  which  is  not  an  integer.  Thus,  [1,^2]  is 
a  proof  of  unsatisfiability  of  1 A  ( BX  =  B').  So  /  A  ( BX  =  B ')  is  unsatisfiable.  □ 


D.1.2  Proof  of  Theorem  12 

Recall  that  rational  row  vector  is  the  proof  of  unsatisfiability  of  AX  = 

A'  A  BX  =  B1  (A.B.A' .  B'  are  rational  matrices)  such  that 

R\A  +R2B  is  integral 

R\A '  +  RiB'  is  not  an  integer 

We  call  R\AX  =  R\A'  the  partial  interpolant  for  (AX  =  A' ,BX  =  Bf).  It  can  be 
written  as  follows: 

cijXi  +  Y,  bjXi  =  c  (D.l) 

X/G  Va\b  XiEVab 

where  all  coefficients  a,-,  bj  and  c  —  R\A'  are  rational  numbers.  The  above  equation 
is  the  same  as  Equation  6.1  repeated  here  for  convenience. 

Similarly,  R2BX  —  R2B1  can  be  written  as  follows: 

Y  e‘xi  +  Y  fixi  =  d  (D-2) 

XiEVab  X, ^VB\A 

where  all  coefficients  and  d  —  R2B1  are  rational  numbers.  Observe  that 
R2BX  =  R2B'  does  not  contain  any  variable  from  VA \e. 
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Lemma  10  Using  the  notation  from  Equations  D.l  and  D.2: 

(a)  For  all  Xj  G  VA  B,  at  is  an  integer. 

(b)  For  all  x,  G  VAb,  bi  +  <?;  is  an  integer. 

(c)  For  all  xt  G  VB\A,  J)  is  an  integer. 

(d)  c  +  d  is  not  an  integer. 

Proof.  The  sum  of  the  left  hand  sides  of  Equations  D.  1  and  D.2  is 

Y  «;*(•+  Y  (bi  +  ei)xl+  Y  fixi 

Xi€VA\B  Xi^Vab  xi^B\A 

which  is  the  same  as  (R\A  +  R2B)X.  Since  R\A  -\-RiB  is  integral  each  coefficient 
in  the  above  sum  must  be  an  integer.  This  gives  us  the  desired  results  (a),(b),(c). 
Since  c  +  d  =  R\A'  ARiB'  and  R\A'  +R1B1  is  not  an  integer  we  get  (d).  □ 

Theorem  12.  Assume  that  the  coefficient  a,  of  at  least  one  x(-  G  VA  H  in  the  partial 
interpolant  ( Equation  D.l )  is  not  zero.  Let  a  denote  the  gcd  of  {afxi  G  VA  B\. 

(a)  a  is  an  integer  and  a  >  0. 

(b)  Let  (i  be  any  integer  that  divides  a.  Then  the  following  linear  modular  equation 
/(->  is  an  interpolant  for  (AX  —  A' .  BX  =  if). 

/p  :=  Y  biXi  =  c  (mocl  P) 

XieVAB 

Observe  that  7p  contains  only  variables  that  are  common  to  both  AX  —  A'  and 
BX  =  if.  It  is  obtained  from  the  partial  interpolant  (Equation  D.l )  by  dropping 
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all  variables  occurring  only  in  AX  —  A1  (VA\B)  and  replacing  the  linear  equality 
by  a  modular  equality. 

Proof,  (a)  By  lemma  10  each  af  is  an  integer.  Since  a  is  the  gcd  of  {a/|x;  G  VA\B}, 
a  must  be  an  integer.  Also  note  that  a  is  non-zero  since  at  least  one  a,-  is  non-zero. 
By  definition  of  gcd  a  is  positive. 

(b)  To  show  that  /p  is  an  interpolant  for  (AX  =  A'  ,BX  —  B'). 

1 .  We  need  to  show  that  AX  =  A'  implies  Ir.  Recall,  that  AX  —  A '  implies  the  par¬ 
tial  interpolant  R\AX  =  R\A'  from  lemma  3.  We  show  that  R\AX  =  R\A'  implies 

b- 

From  basic  modular  arithmetic  it  follows  that  s  —  t  implies  s  =  t  ( mod  y) 
for  any  rational  number  y.  Thus,  the  partial  interpolant  R\AX  —  R\A'  implies 
R\AX  =p  R\A' ,  where  (1  is  any  integer  that  divides  a.  Consider  the  equation  form 
of  R\AX  =p  R\A'  (equation  D.l): 

Yj  aixi+  Y  biXi=  pc  (D.3) 

xi^VA\fj  XiPVab 

By  definition  a  divides  at  for  all  Xi  G  VA\B.  Since  (1  divides  a,  it  follows  that  (1 
divides  a{  for  all  jq  G  VA\B.  As  v,-  is  an  integer  valued  variable,  a,w;  is  divisible  by 
p  for  all  Xi  G  VA  B.  It  follows  that 


Y  ai*i  =p  0.  (D.4) 

xi  £Va\B 
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Subtract  equation  D.4  from  equation  D.3  to  obtain 


E  hiXi=  pc- 

xieVAB 

The  above  equation  is  /p .  AX  =  A '  implies  R \AX  —R\A'  and  R \AX  =R\A'  implies 
equation  D.3.  Equation  D.4  holds  for  any  integral  assignment  to  all  .17  e  Va\b-  So 
R\AX  =  R\A'  implies  equation  D.4.  Equations  D.3,  D.4  imply  /p.  It  follows  that 
AX  =  A'  implies  /p. 


2.  We  need  to  show  that  7p  A  BX  =  B'  is  unsatisfiable.  Assume  for  the  sake  of 
contradiction  that  /p  A  BX  =  B'  has  an  integral  satisfying  assignment.  Let  the 
satisfying  assignment  to  /p  A  BX  —  B'  be  .17  =  y,  where  gi  is  an  integer  for  all 
Xi  G  Vab  U  Ve  a-  Since  /p  is  satisfied  by  we  have 

E  biSi=  Pc 

Xi^Vab 

Thus,  there  exists  an  integer  t  such  that 


£  bigj  +  tfi  =  c  (D.5) 

Xi&Vab 

The  equation  RjBX  =  R2B1  is  implied  by  BX  =  B' .  Thus,  the  satisfying  assignment 
xi  —  gi  for  all  xi  G  Vab  U  Vb\a  satisfies  R2BX  =  R2B1 .  By  plugging  in  the  values  gi 
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for  Xj  in  Equation  D.2  we  get: 


£  etgi+  £  figi  =  d  (D.6) 

Xi ZzVab  xi€Vg\A 

We  can  sum  the  equations  D.5,  D.6  to  get 

^P  +  Y,  (bi  +  ei)8i+  £  figi  =  c  +  d  (D.7) 

Xi&Vab  xi^B\A 

We  know  that  t.  P  are  integers,  gj  are  integers  for  all  x(-  e  Vab  U  Vb  a,  and  from 
Lemma  10  it  follows  that  b,  +  e,-  is  integer  for  Xj  e  Vab  and  J)  is  integer  for 
Xj  e  Vg^.  It  follows  that  the  left  hand  side  of  Equation  D.7  is  an  integer.  While 
the  right  hand  side  of  Equation  D.7  is  not  an  integer  by  Lemma  10.  Thus,  the 
above  equation  is  the  required  contradiction.  It  follows  that  la  A  BX  =  B'  are  un- 
satisfiable. 


3.  By  the  definition  of  7p  it  follows  that  7r  only  contains  common  variables  of 
AX  =  A!  and  BX  —  B' .  □ 
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D.2  Proofs  from  Section  6.5 


D.2.1  Proof  of  Theorem  13 

In  order  to  prove  theorem  13  we  reduce  the  given  system  of  LMEs  to  an  equisat- 
isfiable  system  of  LDEs.  We  then  use  theorem  1 1  about  the  satisfiability  of  LDEs 
in  order  to  complete  the  proof. 

Reduction  of  a  System  of  LMEs  to  an  Equisatisfiable  System  of 
LDEs 

Suppose  we  are  given  a  system  CX  =/  D  of  linear  modular  equations: 


Cll  . 

C  |  n 

X\ 

d\ 

C21  • 

C2n 

=1 

d2 

Cm  1 

Cmn 

Xn 

dm 

c  x  D 


For  each  equation  Y,jcijxj  =l  di  in  CX  =/  D  we  introduce  a  new  integer  variable 
Vi,  to  obtain  a  new  equation  (without  modulo),  given  as  follows: 

n 

Y^CijXj  +  lvi  =  di 

j=  i 

The  above  equation  is  equi-satisfiable  to  the  linear  modular  equation  L/ CjjXj  =/  d,. 
Let  V  denote  the  vector  of  variables  vi, . . . ,  vm.  We  call  the  new  system  of  linear 
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equations  as  C'Z  =  D,  where  Z  denotes  the  concatenation  of  variable  vectors  X 
and  V.  Note  that  C'Z  —  D  is  a  system  of  linear  diophantine  equations. 


z 


Lemma  11  The  following  are  equivalent: 

(a)  the  system  of  linear  modular  equations  CX  =/  D  has  an  integral  solution 

(b)  the  system  of  linear  diophantine  equations  C'Z  =  D  has  an  integral  solution. 

Proof  The  proof  of  the  above  lemma  is  elementary. 

Theorem  13.  Let  C  be  a  rational  matrix,  D  be  a  rational  column  vector,  and  l  be 
a  rationed  number.  The  system  CX  =/  D  has  no  integral  solution  X  if  and  only  if 
there  exists  a  rational  row  vector  R  such  that  RC  is  integral,  IR  is  integral,  and 
RD  is  not  an  integer. 

From  lemma  1 1  and  theorem  1 1  the  following  are  equivalent: 
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(a)  linear  modular  equations  CX  =/  D  has  no  integral  solution 

(b)  linear  diophantine  equations  C'Z  =  D  has  no  integral  solution 

(c)  There  exists  a  row  vector  R  such  that  RC'  is  integral  and  RD  is  not  an  integer. 


We  show  that  the  property  of  R  in  (c)  is  equivalent  to  “(d)  RC  is  integral,  IR  is 
integral,  and  RD  is  not  an  integer”. 


Let  R  —  [r\ , . . . ,  rm\  then 


RC' 


mm  m 

Y  rCi\ ,  Y  r Cili  -,Y  r<cin,  In,---,  In,  •  •  •  5  lrm 

1=1  1=1  !=  1 


RC'  =  [RC,  IR] 


Thus,  RC'  is  integral  if  and  only  if  RC  and  IR  are  integral.  This  shows  (c)  is 
equivalent  to  (d).  Thus,  (a)  is  equivalent  to  (d)  as  required  by  the  proof.  □ 


D.2.2  Proof  of  Theorem  14 

Recall  that  Va\b  denotes  the  set  of  variables  that  occur  only  in  AX  =/  A'  (and  not 
in  BX  =i  B')  and  Vab  denotes  the  set  of  variables  that  occur  in  both  AX  =/  A'  and 
BX  =i  B' .  The  rational  row  vector  R  =  [i?i,i?2]  is  a  proof  of  unsatisfiability  of 
AX  =i  A'  A  BX  =i  B'  such  that 

R1A+R2B  is  integral  (D.8) 
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IR  —  [IR1JR2]  is  integral  (D.9) 

R 1  Ar  +  R2B'  is  not  an  integer.  (D .  1 0) 

Lemma  12  The  coefficient  ofxj  G  VA\B  in  R\AX  is  an  integer. 

Proof.  By  definition  of  Va\b  the  coefficient  of  x,-  G  Va\b 's  zero  hi  R2BX.  Thus, 
the  coefficient  of  x,  G  Va\r  is  the  same  in  R\AX  and  (R\A  +R2B)X.  We  know 
R\A  +R2B  is  integral  from  equation  D.8.  So  the  coefficient  of  x,-  G  VA\B  in  R\AX 
is  an  integer.  □ 

Theorem  14.  We  assume  I  f  0.  Let  Si  denote  the  set  of  non-zero  coefficients  of 
xi  G  Va  b  in  R\AX.  Let  S2  denote  the  set  of  all  non-zero  elements  of  row  vector 
IR\.  If  S2  —  then  the  interpolant  for  (AX  =/  A' .  BX  =/  if  )  is  a  trivial  LME 
0  =/  0.  Otherwise,  let  S2  f  0.  Let  a  denote  the  gcd  of  numbers  in  Si  U  S2.  (a)  a  is 
an  integer  and  a  >  0.  (b)  Let  |i  be  any  integer  that  divides  a.  Let  U  =  ^R\.  Then 
UAX  =1  UA'  is  an  interpolant  for  (AX  =/  A' .  BX  =/  if). 

Proof.  S2  =  0:  If  S2  =  0  it  follows  that  all  elements  of  IR\  are  zero.  Since  /  f  0, 
R\  must  be  a  zero  vector.  It  follows  that  R \ A  is  a  zero  vector  and  R\A'  —  0.  Us¬ 
ing  equation  D.8  and  R\A  is  a  zero  vector,  it  follows  that  RiB  is  integral.  Using 
equation  D.10  and  ^iA;  =  0,  it  follows  that  R2B1  is  not  an  integer.  Thus,  BX  =/  B' 
is  itself  unsatisfiable  with  R2  as  the  proof  of  unsatisfiability.  In  this  case  we  can 
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simply  take  true  as  the  interpolant  for  the  pair  (AX  =/  A' .  BX  =/  B').  The  inter- 
polant  true  can  be  expressed  as  a  trivial  LME  0  =/  0. 


S2  ^  0:  We  first  show  that  a  is  an  integer.  Since  IR\  is  integral  (see  equation  D.9) 
all  elements  of  SS  are  non-zero  integers.  All  elements  of  Si  are  non-zero  integers 
due  to  Lemma  12.  Thus,  Si  US2  is  a  set  of  non-zero  integers.  Since  S2  /  0  there 
exists  at  least  one  element  in  Si  U  S2.  a  is  the  gcd  of  the  numbers  in  Si  U  S2.  So  a 
is  a  non-zero  integer  and  by  definition  of  gcd  a  is  positive. 


Let  p  be  any  integer  that  divides  a.  Note  that  p  ^  0  as  a  ^  0.  We  define 


/  / 

Ip  :=  UAX  =1  UA'  where  U  =  ^1 . 


(D  -11) 


We  need  to  show  that  /«  is  an  interpolant  for  the  pair  (AX  =/  A' .  BX  =/  B'). 


(a)  To  show  AX  =;  A'  =>•  Ip.  If  we  show  that  U  is  integral,  then  by  lemma  4  it 
follows  that  AX  =/  A'  UAX  =/  UA'  and  thus  AX  =/  A'  Ip.  We  need  to  show 
that  U  is  integral. 

Recall  from  equation  D.9  that  IR\  is  integral.  By  definition  of  a  it  follows  that 
a  divides  every  element  in  Si  or  the  row  vector  IR\ .  Since  p  divides  a,  p  divides 

ID  J 

every  element  in  IR\.  So  —  4i?i  =  U  is  an  integral  vector. 
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(b)  To  show  /p  A  (BX  =/  B ')  is  unsatisfiable.  Observe  that  /p  A  (BX  =/  /Tj  is 
another  system  of  LMEs 

t/A  t/A' 

X=i 

B  B 1 

We  show  that  the  row  vector  [7,-^2]  serves  as  the  proof  of  unsatisfiability  of 

/p  A  (BX  =1  B').  We  will  check  the  conditions  in  the  definition  of  proof  of  un¬ 
satisfiability. 

-  To  show 

R  UA 

[j,R2\  is  integral 

1  B 

The  above  product  is  equal  to  y  (C/A)  +R2B  =  R\A  +  R2B.  By  equation  D.8  we 
know  that  R\A  +  R2B  is  integral. 

-  To  show  that  1[j,R2]  =  |P-  IRi]  is  integral.  From  equation  D.9,  IR2  is  integral 
and  [1  is  an  integer  by  definition. 

-  To  show 

p  UA ' 

[-■Rl]  is  not  an  integer 

/  B! 

The  above  product  is  equal  to  j(UA ')  +R2B'  =  R\A’  -\-R2B' .  By  equation  D.10 
we  know  that  R\A'  -\-R2B1  is  not  an  integer. 
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We  conclude  that  [7,^2]  is  a  proof  of  unsatisfiability  of  7p  A  ( BX  =/  B').  Thus, 
/p  A  (BX  =1  B')  is  unsatisfiable. 


(c)  To  show  that  /p  only  contains  variables  that  are  common  to  both  (AX  =/ 
A! ,BX  =1  B').  Since  /p  is  obtained  by  a  linear  combination  of  equations  from 
AX  =1  A',  we  can  write  /p  as  follows: 

Y  aixi  +  Y  h,x‘  ='  (D.12) 

xi^A\B  xi  £Vab  UA! 

' - V - " 

VAX 

where  all  coefficients  a^b,  and  c  =  UA'  are  rational  numbers. 

We  will  show  that  the  coefficient  a,  of  each  Xj  G  V& \b  in  equation  D.12  is 
divisible  by  /.  This  will  in  turn  show  that 

Y  am=i  0  (D.13) 

XieVA\B 

since  Xi  are  integer  variables.  This  will  allow  7p  to  be  written  in  an  equivalent 
manner  (containing  only  variables  from  Vab )  ns  follows: 

Y  bjXi  =j  c . 
x,eVAB 
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We  now  show  that  the  coefficient  aj  of  each  a,  G  VA  B  in  equation  D.12  is 
divisible  by  /.  Recall,  that 


/p  :=  11  AX  =i  UA'  where 


U 


l 

P 


R i  and  (1  divides  a. 


(D.14) 


By  definition  a  divides  every  element  in  Si 

=>■  a  divides  the  coefficient  of  each  a;  G  VAB  in  R\AX 

=>■  [1  divides  the  coefficient  of  each  a,  G  in  R\AX . 

=>  the  coefficient  of  a,  G  Va\b  in  |/?iAX  is  an  integer. 

=>•  the  coefficient  of  a,  G  in  /  x  ^\AX  is  divisible  by  /. 

=>■  the  coefficient  of  a,  G  Va\b  in  I/AX  is  divisible  by  /  (  as  1/  =  pRi) 

The  coefficient  of  a,  G  Va\b  in  I/AX  is  simply  a,  (equation  D.12).  So  /  divides  rq. 

□ 


Degenerate  case  1  =  0.  Let  AX  =/  A'  be  a  system  of  LMEs.  For  1  =  0,  AX  =/  A' 
is  equivalent  to  a  system  of  LDEs  AX  =  A'.  In  order  to  see  this,  consider  an  LME 
E"=i  aixi  =0  b.  This  LME  is  satisfied  if  and  only  if  £”=1  a, -a,-  —  b  =  O  x  X.  for  some 
integer  X.  Thus,  the  LME  £”=1  a,A;-  =o  b  is  equivalent  to  the  LDE  £"=1  a,A(-  =  /?. 

Suppose  AX  =qA'  ABX  =q  B'  is  unsatisfiable.  Then  the  interpolant  for  (AX  =o 
A' ,BX  =o  B')  can  be  obtained  by  computing  the  interpolant  for  the  pair  of  LDEs 
(AX  =A',BX  =  &). 


246 


D.3  Proof  of  Corollary  14 


Corollary  14.  Given  CX  =  D  where  C,D  are  rational  matrices,  and  C  has  full 
row  rank.  Let  [E  0]  denote  the  Hermit e  normal  form  (HNF)  of  C.  If  CX  =  D  has 
no  integral  solution,  then  E  1 1)  is  not  integral  (due  to  lemma  5).  Suppose  the  it  l 
entry  in  E  lD  is  not  an  integer.  Let  R'  denote  the  ith  row  in  E  1 .  Then 

(a)  R'D  is  not  an  integer 

(b)  R'C  is  integral 

Thus,  R1  serves  as  the  required  proof  of  unsatisfiability  ofCX  =  D. 

Proof,  (a)  Follows  from  the  definition  of  R' 

(b)  We  know  that 

CU  =  [E  0] 

where  U  is  a  unimodular  matrix.  Since  E  is  invertible  (by  definition  of  HNF)  we 
can  multiply  both  sides  of  the  above  equation  by  E~l  to  obtain 

E~lCU  =E~l[E  0], 

The  above  equation  simplifies  to 


E  lCU  =  [/  0] 

where  I  is  the  identity  matrix.  Since  U  is  unimodular  its  inverse  (U  1 )  exists  and 
it  is  a  unimodular  matrix.  Multiply  both  sides  of  the  above  equation  by  f/~!  to 
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obtain 

E  lCUU~l  =  [I  0]£/_1. 
The  above  equation  simplifies  to 


E  lC=  [I  Op-1. 

Since  if-1  is  unimodular  the  right  hand  side  of  the  above  equation  has  integral  en¬ 
tries.  Thus,  the  left  hand  side  E ~1C  is  integral.  In  particular  the  ith  row  in  E  1 C 
is  integral.  Observe  that  the  ith  row  in  E  1 C  is  simply  R'C.  Thus,  R'C  is  integral. 
□ 


D.4  Proof  of  Lemma  6 

We  need  to  introduce  cutting-plane  proof  system  [129,  44]  in  order  to  prove  this 
lemma.  Suppose  we  are  given  a  system  of  integer  linear  inequalities  AX  <  B , 
where  A,B  are  rational  matrices  and  X  is  a  column  vector  of  integer  variables. 
The  following  inference  rules  allow  us  to  derive  new  inequalities  that  are  implied 
by  AX  <  B. 


nonnegT  m  comb  :  We  can  take  a  non-negative  linear  combination  of  inequal- 
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ities  to  derive  a  new  inequality. 


AX  <B 
RAX  <  RB 


(R  is  a  rational  row  vector  whose  each  element  is  non-negative.) 


rounding :  If  we  have  a  linear  inequality  EX  <  F  such  that  all  coefficients  in 
E  are  integers  (E  e  Z"),  then  we  can  round  down  the  right  hand  side  F. 


EX  <F 
EX  <  |£j 


Eel? 


(EX  <  F  in  the  above  rule  represents  a  single  inequality  and  not  a  system  of  in¬ 
equalities.  £  is  a  row  vector  containing  n  integers.)  We  say  an  application  of  the 
rounding  rule  is  redundant  if  F  —  |_fj  in  the  above  inference  rule. 


weak.rhs  :  Given  F  <F'  and  a  linear  inequality  EX  <F  we  can  derive  EX  <  F' 


EX  <F 
EX  <F' 


F  <F' 


We  say  an  application  of  the  weak_rhs  rule  is  redundant  if  F  =  F'  in  the  above 
inference  rule. 


A  cutting  plane  proof  of  an  inequality  EX  <  F  from  AX  <  B  is  a  sequence  of 
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inequalities  E\X  <  Fh...,E,X  Fj  such  that 


AX  <  B,E\X  ,Ei_iX  <  Fi_x 

EiX  <  F, 


nonneg_l in_comb  or  rounding 


for  each  i  —  1, . . . ,  l  and  each  step  is  an  application  of  the  nonnegd  in_comb  or 
the  rounding  inference  rules  (E\ ,  ...,£/  are  rational  row  vectors  and  £] .....  £/ 
are  rational  numbers).  We  do  not  need  the  weak_rhs  rule  anywhere,  except 
possibly  as  the  last  step  in  a  cutting  plane  proof. 


E,X  <  Fi 
EX  <F 


E  =  EhFl<F'. 


The  cutting  plane  proof  system  provides  a  sound  and  complete  inference  sys¬ 
tem  for  integer  linear  inequalities.  This  is  stated  formally  in  the  following  theo¬ 
rem. 


Theorem  16  (Schrijver  [129])  We  are  given  a  system  of  integer  linear  inequali¬ 
ties  AX  <  B,  where  A,B  are  rational  matrices  and  X  is  a  column  vector  of  integer 
variables.  Let  EX  <  F  be  an  inequality,  where  E  is  a  rational  row  vector  and  F 
is  a  rational  number. 

1.  AX  <  B  has  an  integral  solution  and  AX  <  B  implies  EX  <  F  if  and  only  if 
there  is  a  cutting  plane  proof  of  EX  <  F  from  AX  <  B. 

2.  AX  <  B  has  no  integral  solution  if  and  only  if  then  there  is  a  cutting  plane  proof 
of  0  <  —  1  from  AX  <  B. 

We  need  to  prove  the  following: 
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Lemma  6:  The  following  are  equivalent: 

1.  A  system  ofLDEs  AX  =  B  implies  a  LDE  EX  =  F 

2.  AX  =  B  has  no  integral  solution  or  there  exists  a  rational  row  vector  R  such 
that  E  =  RA  and  F  =  RB. 


Proof.  (2)  =k  (1)  is  straightforward. 

(1)  =>■  (2):  Given  AX  =  B  implies  a  linear  equation  EX  =  F.  If  AX  =  B  has  no 
integral  solution  we  are  done,  that  is,  (2)  holds.  Otherwise,  assume  that  AX  —  B 
has  an  integral  solution. 

We  can  write  AX  =  B  as  an  equivalent  system  of  inequalities  AX  <  B  A  —AX  < 
—B.  The  cutting  plane  (CP)  proof  rules  provide  a  complete  inference  system 
for  integer  linear  inequalities.  We  can  write  the  LDE  EX  —  F  as  EX  <  F  A 
—EX  <  —F.  The  system  of  linear  inequalities  AX  <  B  A  —AX  <  —B  implies 
EX  <  F  A  —EX  <  —F.  Let  us  consider  the  CP  proof  of  EX  <  F  from  the  inequal¬ 
ities  AX  <  B  A  —AX  <  —B.  We  show  that  the  inference  rules  used  in  this  proof 
will  only  involve  nonneg_linear_comb  rule.  Any  application  of  rounding 
or  weak.rhs  rule  will  either  be  redundant  or  will  lead  to  a  contradiction.  The 
later  case  is  not  possible  because  AX  =  B  or  the  equivalent  system  of  inequalities 
has  an  integral  solution. 

Consider  the  first  application  of  rounding  in  the  CP  proof  of  EX  <  F. 


EjX  <  Ft 
E,X  <  LDJ 


Ei  G  Z'! 
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Since  all  the  rules  used  to  derive  EjX  <  F,  are  non  negative  linear  combination 
rules,  we  can  combine  all  steps  used  to  derive  EjX  <  Fj  by  a  single  application 
of  the  nonneg_lin_comb  rule.  That  is,  we  can  find  rational  row  vector  [R\.  R2] 
such  that 


A 

-A 

X  < 

B 

-B 

[RiM 

A 

-A 

X<[RhR2] 

B 

-B 

[*i,*2]  >0 


where  R\,Rn  are  non-negative,  Ej  =  RiA  +  R2(—A)  and  Fj  =  R\B  +  R2(—B).  We 
can  also  derive  —EjX  <  —Fj  by  taking  a  non  negative  linear  combination  of  AX  < 
B  A  —AX  <  —B  using  \R2-R\]-  If  Fj  —  [Fj\  then  the  application  of  rounding  rule 


EjX  <  Fj 
EjX  <  [Ti-J 


Ej  G  Z" 


is  redundant.  Otherwise,  let  |ivj  =  Ej)  and 


EjX  <  Fj 
EjX  <  k 


Since  ^ Fj\  =  —  k  —  1 .  We  apply  apply  rounding  to  —EjX  <  —Fj  to  obtain 


-EjX  <  -Fj 
-EjX  <-k-  1 


-EjE  Z" 
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By  combining  the  above  two  equations  (EjX  <  k  and  —EjX  <  —k  —  1)  we  ob¬ 
tain  an  equation  0  <  —  1.  But  this  means  that  the  original  system  of  inequalities 
AX  <  B  A  —AX  <  —B  has  no  integral  solution,  which  contradicts  our  assump¬ 
tion.  Thus,  the  first  application  of  the  rounding  rule  in  the  CP  proof  must  be 
redundant.  Using  similar  reasoning  (induction  on  the  length  of  the  proof)  we  can 
conclude  that  all  applications  of  rounding  in  the  CP  proof  must  be  redundant. 


In  the  CP  proof  system  described  above  there  can  be  only  one  application  of 
weak_rhs  rule  as  the  last  step  in  a  CP  proof.  We  now  show  that  the  application 
of  weak.rhs  at  the  end  of  the  CP  proof  must  be  redundant. 


EX  <Fi 
EX  <F 


Fi<F. 


If  Fj  =  F,  then  the  application  of  weak.rhs  is  redundant.  Otherwise,  suppose 
Fj  <  F .  Recall,  that  —EX  <  —F  is  also  an  implied  inequality  of  the  original 
system.  We  can  add  —EX  <  —F  and  EX  <  Fi  to  obtain  0  <F\  —  F.  Since  F/  <  F 
we  can  divide  0  <  T}  —  F  by  positive  rational  number  F  —  Fj,  to  obtain  the  equation 
0  <  —1.  But  this  is  a  contradiction. 


Thus,  the  cutting  plane  proof  of  EX  <  F  can  only  involve  redundant  applica¬ 
tions  of  rounding  or  weak_rhs  rules.  These  applications  of  rounding  or 
weak.rhs  rules  can  be  removed  to  obtain  a  derivation  of  EX  <  F  that  only  in¬ 
volves  nonneg_linear_comb  rule.  All  applications  of  nonnegd  inear.comb 
rule  in  a  CP  proof  can  be  combined  to  obtain  a  vector  [Si,^]  such  that 
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A 

-A 

X  < 

B 

-B 

[Si,s2] 

A 

-A 

x  <  [S  i ,  s2] 

B 

-B 

™*v -  - 

EX  F 


[Si,S2]  >0 


where  Si, 52  are  non-negative,  E  =  SiA  +  S2(— A)  and  F  =  Si.8-|-S2(— B).  (Note 
that  a  proof  of  —EX  <  —F  can  be  obtained  by  taking  a  non  negative  linear  combi¬ 
nation  of  AX  <  B.  —AX  <  —B  using  [S2,S]].)  Thus,  there  exists  a  rational  vector 
R  =  Si  —  S2  such  that  E  =  RA  and  F  =  RB.  This  shows  (2)  holds.  □ 


D.5  Proof  of  Lemma  7 

We  use  the  following  result  in  the  proof. 

Theorem  17  (Schrijver  [129])  Let  AX  =  B  be  a  system  of  LDEs,  where  A.B  are 
rational  matrices  and  X  is  a  column  vector  of  n  integer  variables.  If  AX  =  B  is 
satisfiable  (has  an  integral  solution),  then  we  can  find  in  polynomial  time  integral 
vectors  Xq,  . . .  ,Xt  e  Z”  such  that 

{X\ AX  =  B-X  integral}  =  {X0  +  +  . . .  +  XfX;|Xi, . . .  ,Xt  e  Z} 
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with  X\ , . . .  .Xt  linearly  independent.  (We  think  ofX 'o,X\,. . .  .X,  G  Z"  as  column 
vectors.) 


Example  44  Consider  a  system  of  LDEs  AX  —  B\ 


The  set  S  of  solutions  to  AX  =  B  is  given  as: 


Lemma  7:  Let  AX  —  B  denote  a  system  of  LDEs,  where  A,B  are  rationed  matrices 
and  X  is  a  column  vector  of  integer  variables.  Let  C[X  —  Dj  denote  a  LDE  for 
1  <  i  <  m  ( Cj  is  a  rationed  row  vector  and  Dj  is  a  rationed  number).  The  following 
are  equivalent: 

1.  AX  =  B  implies  \Jf=\  QX  =  D, 

2.  There  exists  a  1  <k  <  m  such  that  AX  =  B  implies  C/(X  =  D^. 

Proof.  (2)  =>  (1):  This  direction  of  the  proof  is  straightforward. 

(1)  =>■  (2):  If  AX  =  B  has  no  integral  solution,  then  AX  =  B  implies  any  linear 
equation.  Thus,  (2)  holds. 
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Assume  that  AX  —  B  has  an  integral  solution.  In  this  case  we  can  use  the 
theorem  17  and  write  the  set  S  of  all  integral  solutions  to  AX  —  B  as 

S  :=  {Xo  +  A4X1  + . . .  +  'kjXf  |X| , ...  ,Xt  G  Z} 
where  Xo,Xi, . . .  ,Xt  G  Z'1  (assuming  X  has  size  n  x  1). 

By  substituting  X  —  Xq  +  A.|X|  +  . . .  +  XtXt  (with  A4 , . . . ,  Aif  as  symbolic  vari¬ 
ables)  in  CjX  —  Di  we  obtain 


Ci(Xo  +  \lXl  +  ...  +  ktXt)-Di. 


Since  C,Xo, . . .  ,C,Xt  are  scalars  (rational  numbers),  the  difference  QX  —  Dj  for 
X  G  S  is  a  linear  expression  in  A.  1 .....  A., .  We  denote  the  difference  CjX  —  D,  for 
X  G  S  by  8j.  It  follows  that 


81  =  «io  +  mhA,i  + . . .  +  u\tXt 


8/  —  Ujo  +  m,-  1  A.  1  + . . .  +  uii  A./  /  EQ 


S/77  —  UmQ  +  W/HlA-1  +  .  .  .  +  M/n/  A./ 


where  are  rational  numbers,  A.] .....  A./,  81 , . . . ,  8m  are  symbolic  variables.  An 
integral  assignment  A4  =  Pi,...,  A*  =  pr  where  pi,...,pr  G  Z  gives  a  solution 
Xp  G  Z'!  to  AX  =  £  (Xp  G  S).  If  8,-  evaluates  to  zero  for  A4  =  (3i , . . . ,  Xt  =  pf ,  then 
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Xp  satisfies  the  LDE  QX  —  £>,.  Otherwise,  Xp  does  not  satisfy  the  LDE  QX  =  D\. 


We  consider  two  cases. 

Case  1:  If  for  some  1  <  k  <  m,  Uk  q  —  ...  —  Ukt  —  0,  then  8^  =  0.  That  is,  every 
X  e  S  satisfies  QX  =  /Q  Therefore,  AX  =  B  implies  QX  =  /Q  In  this  case  (2) 
holds. 

Case  2:  For  all  1  <  k  <  m  there  is  a  0  <j<t  such  that  Ukj  ^  0.  We  show  that 
case  2  cannot  arise  using  proof  by  contradiction.  We  will  give  an  algorithm  for 
assigning  integral  values  to  Q , . . . ,  Xt  such  that  8j  ^  0, . . . ,  8,„  ^  0.  In  other  words, 
we  will  show  that  there  exists  an  X'  e  S  such  that  QX'  ^  Dj  for  all  1  <  i  <  m.  This 
will  mean  that  AX  =  B  does  not  imply  V'QQX  =  D(,  leading  to  a  contradiction. 

It  is  convenient  to  think  of  expressions  for  8i, . . . ,  8m  as  a  system  of  equations 
in  8j, . . .  ,8mQi, . . .  ,Xf.  We  denote  this  system  of  equations  as  EQ. 

We  now  give  an  algorithm  for  assigning  integral  values  to  Xi , . . . ,  Xt  such  that 
8i  7^  0, ,  8,„  /  0.  Our  algorithm  will  assign  \  before  A./+ 1  for  each  1  <  i  <  m  —  1 . 

Let  Ego  C  EQ  denote  the  equations  that  do  not  contain  any  variables  Xi , . . . ,  Q 
If  8,t  =  Uk o  is  an  equation  in  EQq,  then  we  know  that  Uko  /  0  (by  case  2  as¬ 
sumption).  Thus,  CkX  /  Dk  for  any  X  e  S.  Alternatively,  AX  =  B  cannot  imply 
QX  =  Dk ■  We  can  safely  ignore  the  equations  in  EQq  for  the  rest  of  the  proof. 

Let  EQiCEQ  for  1  <i<t  denote  the  set  of  equations  which  contain  only  vari¬ 
ables  A.  | , . . . ,  A./  such  that  the  coefficient  of  A.,  is  not  zero  (coefficients  of  Q , . . . ,  A i 
can  be  zero). 
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We  now  describe  an  algorithm  for  assigning  integer  values  to  A,  for  1  <  i  < 
t.  The  algorithm  uses  EQj  to  assign  a  value  to  A,-.  Suppose  we  have  assigned 
integral  values  ai, . . .  ,a,_i  to  An,. . . ,  A;_i,  respectively.  If  EQj  —  0,  then  assign 
an  arbitrary  integer  value  a,  to  A,-.  Otherwise,  substitute  Ai  =  ai, . . . ,  A;-„i  =  a,_i 
in  EQi  to  obtain  a  system  of  equations  EQ'j.  A  representative  equation  in  EQ \  is 

8/  =  v/o  +  ui{kj  un  ^  0 


where  v/o  is  a  rational  number  and  uu  is  a  non-zero  rational  number  by  definition 
of  EQj.  We  want  to  assign  A/  such  that  8/  ^  0  for  every  equation  8/  =  v/o  +  w/,A,- 
in  EQ'j.  This  can  be  done  by  assigning  A,  any  integer  value  that  is  different  from 


A i a i  where  a,  e  Z 


and 


l  un  J 


where  l  e  EQ'j  is  a  short  form  of  saying  that  equation  8/  =  v/o  +  w/;A;  is  in  EQ'j. 
We  can  always  find  a  suitable  a;  because  the  set  of  integers  has  infinite  cardinality 
(and  we  have  a  finite  set  of  rational  numbers/integers  that  cannot  be  assigned  to 

h). 

Let  8/  =  u/o  +  Y!j=i  uij^j  denote  an  equation  in  EQ\ U . . .  UEQj.  The  following 
invariant  holds  after  A,  is  assigned  a,:  if  Ai  =  ai,...,A,-  =  a,  is  substituted  in 
8/  =  w/o  +  Lj=i  uijXj,  then  8/  ^  0. 

Thus,  once  we  have  assigned  Ai  =  ai, . . . ,  A,  =  oq  using  the  above  algorithm 
we  have  8[  ^  0, . . . ,  8,„  7^  0.  Let  X'  e  S  be  an  integral  solution  to  AX  =  A?  given 
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by  Xi  =  oci, . . .  =  at.  Then  8,-  =  CjX'  —  D\  ^  0  for  each  1  <  i  <  m.  That  is, 

AX  =  B  does  not  imply  V''i ,  CjX  —  Dj,  leading  to  a  contradiction.  Thus,  Case  2 
cannot  arise.  □ 


D.6  Proof  of  Theorem  15 

In  addition  to  lemmas  6,7  we  will  use  the  following  theorem. 

Theorem  18  (Schrijver  [129])  Let  A  be  a  rational  matrix,  B  be  a  rational  column 
vector,  C  be  a  rational  row  vector.  Assume  that  the  system  AX  =  B  has  a  rational 
solution.  Then  AX  —  B  implies  (over  rationals)  CX  =  D  if  and  only  if  there  is  a 
row  vector  R  such  that  RA  =  C  and  RB  =  D. 

Theorem  15.  Let  F  denote  AX  =  B  A  /\/=i  CjX  f  Dj.  The  following  are  equiva¬ 
lent: 

1.  F  has  no  integral  solution 

2.  F  has  no  rational  solution  or  AX  —  B  has  no  integral  solution. 

Proof.  (2)  (1)  is  straightforward. 

(1)  (2):  Given  F  has  no  integral  solution.  If  AX  =  B  has  no  integral  solution, 

then  (2)  holds.  Otherwise,  assume  AX  —  B  has  an  integral  solution.  Since  F  has 
no  integral  solution,  every  integral  solution  to  AX  =  B  must  satisfy  CjX  =  D,  for 
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some  1  <  i  <  m.  That  is, 

m 

AX=B^  \ICiX=Di 
i=  1 

By  lemma  7  it  follows  that  there  exists  a  1  <  k  <  m  such  that 

AX  =B=>  CkX  =  Dk 

By  lemma  6  (and  our  assumption  that  AX  =  B  has  an  integral  solution)  it  follows 
that  there  exists  a  rational  row  vector  R  such  that 

Ck  —  RA  and  Dk  —  RB 

Using  the  vector/?  and  theorem  18  we  can  conclude  that  AX  =  B  implies  CkX  =  Dk 
over  rationals.  So 

AX  =  B  A  CkX  /  l)k 
is  unsatisfiable  over  rationals,  or 

m 

AX  =  B  A  /\QX  ^  Dj 

i=  1 

is  unsatisfiable  over  rationals.  Thus,  F  is  unsatisfiable  over  rationals  and  (2)  holds. 

□ 
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D.7  Interpolates  for  Linear  Diophantine  Equations 
and  Disequations  (LDEs+LDDs) 

We  use  the  following  theorem. 

Theorem  19  (Schrijver  [129])  Let  A  be  a  rational  matrix,  B  be  a  rational  column 
vector.  The  system  AX  =  B  has  no  rational  solution  if  and  only  if  there  exists  a 
rational  row  vector  R  such  that  RA  =  0  and  RB  f  0. 

Let  F  A  G  be  systems  of  LDEs+LDDs. 

F  :=  AX  =  B  A  f\CjX  D, 

i 

G  :=  A'X  =  B'  A^C'jX^D'j 
i 

FAG  represents  another  system  of  LDEs+LDDs.  Suppose  F  AG  is  unsatisfiable 
(no  integral  solution).  In  this  case  we  want  to  compute  an  interpolant  for  the  pair 
(F,  G).  We  divided  this  problem  into  two  cases  in  Section  6.7.  We  describe  Case 
1  below. 

By  case  1  assumption  we  know  that  FAG  has  no  rational  solution.  We  want 
to  compute  an  interpolant  for  (F,  G) .  The  interpolant  for  (  F.  G)  can  be  obtained 
by  using  the  techniques  discussed  in  [113,  144,  128,  54].  For  completeness  we 
show  how  to  obtain  an  interpolant  for  (F,  G)  by  considering  three  sub-cases. 
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Case  1.1:  AX  =  B  AA'X  =  B'  has  no  rational  solution.  Using  theorem  19  there 
exists  a  row  vector  [R\.  R2]  such  that 

RiA  +  R2A'  =  0 
RlB  +  R2B,^0 

In  this  case  an  interpolant  for  the  pair  (F.  G )  is  the  linear  equation  R\AX  =  R\B. 
One  can  verify  that  R\AX  =  R\B  satisfies  all  the  conditions  required  by  the  defi¬ 
nition  of  interpolants. 

We  describe  Case  1.2  and  Case  1.3  next.  Since  F  A  G  is  unsatisfiable  over 
rationals  we  have 

AX  =  BAA’X  =  B'  =►  i\j  C,X  =  Dt  V  \J  C)X  =  D'j)  (D.15) 

i  j 

The  above  implication  holds  for  any  rational  X.  We  know  that  if  a  set  of 
rational  linear  arithmetic  constraints  T  imply  a  disjunction  of  linear  equations 
\/"l=lEqi ,  then  for  some  1  <  k  <  m,  F  implies  Eq £.  This  is  due  to  convexity  of 
rational  linear  arithmetic  [120]. 

Due  to  convexity  AX  =  B  A  A'X  =  B'  will  imply  either  an  equality  belonging 
to  V jCiX  =  Dj  or  an  equality  belonging  to  \JIC'-X  =  D'-  in  equation  D.15.  This 
gives  Case  1.2  and  Case  1.3. 
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Case  1.2:  For  some  j,  AX  =  B  AA'X  =  £}'=>  C'jX  =  D', 

Using  theorem  18  there  exists  a  row  vector  [R\  ,R2]  such  that 

R\A+R2A’  =  C'j 
R1B  +  R2B'  =  D'j. 

In  this  case  an  interpolant  for  (F.  G )  is  the  linear  equation  R\AX  =  R\B.  One  can 
verify  that  R\AX  =  R\B  satisfies  all  the  conditions  required  by  the  definition  of 
interpolants. 

Case  1.3:  For  some  i,  AX  =  B  AA'X  —  Br  =>  QX  =  D\. 

In  the  above  two  cases  (1.1  and  1.2)  the  interpolant  is  a  linear  equation.  In  this 
case  the  interpolant  will  be  a  linear  disequation.  Using  theorem  18  there  exists  a 
row  vector  [R\  .R2}  such  that 


RlA  +  R2A'  =  Ci 
RlB  +  R2B'  =  Di 

Let  VfG  denote  the  variables  that  occur  in  both  F  and  G  and  let  Vh  G  denote  the 
variables  that  occur  only  in  F  (and  not  in  G). 

Observe  that  R\AX  =  R\B  can  be  written  as  follows: 

^  diXi  +  Y,  b'Xi  =  k 

Xi&Vp\G  XiZzVFG 
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Similarly,  C,X  =  D,  can  be  written  as  follows: 


^  ciiXj  +  CiXj  =  Di 

xi  £.Vp\G  xieVFG 

Observe  that  the  variables  Xi  G  VhG  have  same  coefficients  in  R\AX  and  C,X ■ 
This  is  because  C,  =  R\A  +  R2A'  and  the  coefficients  of  Xj  e  Vp-\G  in  R2A'X  is  zero. 
We  can  write  C,X  ^  Dj  as 


^  CliXi  T"  ^  CiXj  7^  I) i 

Xj€Vp\G  Xi&VFG 

Note  that  F  implies  R\AX  =  F]  F  and  C,X  f  D,.  Thus,  F  implies  the  disequa- 
tion  obtained  by  subtracting  R\AX  —  R\B  and  QX  f  D(. 


^  biXi  ^  C(Xj  f  k  Dj 
Xi&VpG  XieVFC 

The  above  equation  is  the  required  interpolant.  It  it  implied  by  F  and  only 
contains  variables  common  to  F,  G.  One  can  show  that  above  disequation  is 
RiA'X  7^  R2B'.  Since  G  implies  R2A'X  —  R2B'  the  above  equation  is  unsatisfi- 
able  with  G. 


D.8  Handling  of  Linear  Modular  Disequations 

Lemma  13  The  problem  of  deciding  whether  a  system  (conjunction)  of  linear 
modular  disequations  (LMDs)  have  an  integral  solution  is  NP-hard. 
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Proof.  We  reduce  a  well  known  NP-hard  problem  3-SAT  to  a  system  of  LMDs 
denoted  by  L.  Let  the  variables  in  3-SAT  problem  be  zi,  ■  ■  ■  ,  z„ •  For  each  variable 
Zi  in  the  3-SAT  problem  we  introduce  two  integer  variables  jc;  and  x\  in  L ,  where 
Xi  represents  the  literal  Zj  and  x[  represents  the  literal  f,. 

The  modulus  of  LMDs  in  L  will  be  four.  We  first  express  the  constraints  that 
Xi  =4  1  and  f  =4  0  or  .17  =4  0  and  x'l  =4  1.  This  done  by  means  of  the  following 
LMDs. 


n  n  n 

L\  :=  f\  ->(47  =4  x'i)  A  f\ ~^{xi  =4  2)  A  f\ ->(x/  =4  3)  A 
i=  1  i=  1  i=  1 

ft  ft 

A  =4 2) A  A  _n( xi  =4 3) 

(=t  (=i 

Now  consider  any  clause  u  V  v  V  w  in  the  given  3-SAT  formula,  where  u,  v,w  G 
{zi, . . .  ,z„,zi, . . .  ,zn}-  Let  8(m)  map  the  literal  u  to  the  corresponding  variable  in 
L.  For  each  clause  u  V  v  V  w  in  the  3-SAT  formula,  we  generate  the  following 
LMD 

->(8(«)  +8(v)  +  8(w)  =4  0). 

The  LMD  above  is  falsified  only  when  8(m),8(v),8(w)  are  assigned  0  ( mod  4). 
For  all  other  assignment  of  values  8(m),8(v),8(w)  the  LMD  is  satisfied  (captures 
the  semantics  of  the  clause). 

Let  the  set  of  clauses  in  the  3-SAT  formula  be  C. 

L2  :=  A  -■(8(a) +  8(v) +  8(w)  =4  0) 

(mVvVw)gC 
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Let  L  —  L\  A  Li.  Observe  that  the  3-SAT  formula  is  satisfiable  if  and  only  if  L  is 
satisfiable.  The  reduction  from  the  given  3-SAT  formula  to  L  is  polynomial  time. 
This  establishes  the  NP-hardness  of  checking  the  satisfiability  of  conjunctions  of 
LMDs.  □ 


D.8.1  Proofs  of  Unsatisfiability  and  Interpolants  for  LMDs 

We  can  reduce  a  system  of  LMDs  or  LMEs+LMDs  to  a  conjunction  of  atomic 
formulas  in  integer  linear  arithmetic  (both  problems  are  NP-hard)  and  use  the 
cutting-plane  proof  system  to  obtain  a  proof  of  unsatisfiability.  Pudlak’s  [126] 
algorithm  can  be  used  for  obtaining  interpolants. 


D.9  Obtaining  Polynomially  Sized  Cutting-plane  Proofs 
for  LDEs 

Given  an  unsatisfiable  system  of  LDEs  AX  =  B,  a  proof  of  unsatisfiability  is  a 
rational  row  vector  R  such  that  RA  is  integral,  while  RB  is  not  an  integer.  We 
know  that  R  can  be  obtained  in  polynomial  time. 

We  show  that  using  R  we  can  obtain  a  polynomially  sized  cutting  plane  proof 
of  unsatisfiability  of  AX  =  B.  The  cutting  plane  proof  system  was  described  in  Ap¬ 
pendix  D.4.  It  consists  of  three  inference  rules  nonneg_lin_comb,  rounding 
and  weak_rhs. 
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We  first  write  R  =  Si  —  S2,  where  both  S 1 .  S2  are  non-negative  row  vectors.  For 
example,  we  can  write  —  |]  =  [4,0]  —  [0,  |], 


We  write  AX  =  B  as  AX  <  B  A  —AX  <  —B.  The  cutting  plane  proof  of  unsat¬ 
isfiability  consists  of  following  steps. 


AX  <B 
Si  AX  <  SiB 


Si  >0 


nonneg_l  in_comb 


—AX  <  -B 
-S2AX  <  -S2B 


S2>  0 


Si  AX  <  SiB  -  SlAX  <  -S2B 

[Si-S2]AX<  [Si-S2]B 


nonneg_lin_comb 


nonneg_lin_comb 


Since  R  =  [Si  —  S2]  we  can  write  the  above  step  as 


Si  AX  <  SiB  -  S2AX  <  -S2B 

RAX  <RB 


nonneg_lin_comb 


Multiplying  AX  <  B  by  S2  and  —AX  <  —B  by  Si  we  can  derive 


S2AX  <  S2B  -  Si  AX  <  —S\B 
—RAX  <  -RB 


nonneg.l  in_comb 


By  definition  of  R  we  know  that  RB  is  not  an  integer.  Let  [RB\  =  k.  Then 
|_— RB\  —  —k—  1.  Since  RA  is  integral  we  can  apply  rounding  to  RAX  <  RB 
and  —RAX  <  -RB. 


RAX  <RB 

-  rounding 

RAX  <k  y 
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-RAX < -RB 


rounding 


RAX  <  -k-  1 

The  contradiction  is  obtained  by  summing  RAX  <  k  and  RAX  <  —k  —  1. 
RAX  <  RB  —RAX  <  —RB 

-  nonneg_lin_comb 


Since  R  is  polynomially  sized  the  cutting  plane  proof  is  also  polynomially  sized. 


D.10  Using  SMT  Solvers  for  Obtaining  a  Proof  of 
Unsatisfiability  for  LDEs/LMEs 


We  can  determine  if  a  system  of  LDEs  CX  =  D  is  unsatisfiable  and  obtain  a  proof 
of  unsatisfiability  (if  applicable)  by  using  decision  procedures  for  (mixed)  integer 
linear  arithmetic  in  a  black-box  fashion.  For  example,  one  can  use  modern  SMT 
solvers  such  as  Yices  [24]  to  obtain  proofs  of  unsatisfiability.  The  idea  is  to  en¬ 
code  the  existence  of  a  rational  row  vector  R  such  that  RC  is  integral  and  RD  is 
not  an  integer  in  form  of  a  formula  that  can  be  checked  using  existing  decision 
procedures.  This  is  motivated  by  the  idea  proposed  in  [128]  for  real  and  rational 
linear  arithmetic.  We  illustrate  the  technique  by  means  of  an  example. 
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Example  45  Consider  the  system  of  LDEs  CX  —  D: 


1 

X 

r  -1 

1  -2  0 

y 

= 

0 

1  0  -2 

1 

z 

-  -1 

We  use  two  rational  variables  ri,r2  to  denote  the  proof  of  unsatisfiability  R  = 
[ri,r2].  We  use  three  integer  variables  vi,V2,V3  to  express  the  constraint  that  RC 
is  integral.  We  introduce  another  integer  variable  V4  to  express  the  constraint  that 
RD  =  r2  is  not  an  integer. 

P  :=  (vi  =  r\  +  r2)  A  (v2  =  — 2ri)  A  (v3  —  — 2r2)  A  (v4  <  r2)  A  (r2  <  v4+  1) 

If  the  decision  procedure  for  integer  linear  arithmetic  determines  that  P  is  satis  li¬ 
able,  then  we  get  a  proof  of  unsatisfiability  for  CX  —  D  by  looking  at  the  assign¬ 
ments  to  r\ ,  r2.  If  P  is  unsatisfiable,  it  means  that  the  system  CX  —D  is  satisfiable. 


We  formalize  the  idea  below.  Suppose  the  sizes  of  C,X,D  in  the  system  of 
LDEs  CX  =  D  are  m  x  n,  n  x  1 ,  m  x  1,  respectively.  The  formula  P  contains: 

-  m  rational  variables  r\ , . . . ,  rm  such  that  R  —  [r\ , . . . ,  rm\ 

-  n  integer  variables  vi, . . . ,  vn  to  express  that  each  element  of  RC  is  integral. 

-  One  integer  variable  vn+\  to  express  the  constraint  RD  is  not  an  integer  by  using 
two  strict  inequalities 
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Let  (RC)i  denote  the  ith  element  in  the  row  vector  RC.  Then  we  have 


P  ■=  A  Vi  =  (RC)'  A  (v«+i  <  RD)  A  ( RD  <  v»+i  +  1) 

i=  1 

The  formula  P  is  given  to  a  SMT  solver.  If  P  is  satisfiable,  we  get  the  required 
proof  of  unsatisfiability  R.  Otherwise,  we  know  that  the  given  system  of  LDEs  is 
satisfiable. 

The  proof  of  unsatisfiability  for  a  system  of  linear  modular  equations  can  be 
computed  in  a  similar  manner  as  well  (using  definition  17). 

As  shown  by  experimental  results  in  Section  6.8,  the  black-box  use  of  SMT 
solver  Yices  to  obtain  proofs  of  unsatisfiability  is  not  efficient  (as  compared  to  the 
use  of  HNF).  The  main  reason  for  this  seems  to  be  the  structure  of  P.  Even  though 
the  encoding  used  to  obtain  P  is  natural,  it  is  difficult  for  algorithms  used  in  Yices 
to  decide  P. 
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